cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Podkowinski (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-13440) Sign RPM artifacts
Date Tue, 18 Apr 2017 11:59:41 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-13440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15972550#comment-15972550
] 

Stefan Podkowinski commented on CASSANDRA-13440:
------------------------------------------------


Signatures can be used for both repository transport integrity protection and end-to-end content
verification. 

Providing a signature for {{repomd.xml}} allows clients to verify the repository's meta-data.
But you'll have to enable this by adding {{repo_gpgcheck=1}} to the yum config. 

Individual package files can also contain a signature in the RPM header. This can be done
either during the build process ({{rpmbuild --sign}}) or afterwards on the final artifact.
As the RPM should be build using docker and just create the RPMs at the end without intervention,
we probably have to go with the later option here. I'd suggest to use the rpmsign wrapper
({{yum install rpm-sign}}) and use it on the package, e.g.:
{{rpmsign -D '%_gpg_name MyAlias' --addsign cassandra-3.0.13-1.noarch.rpm}}

Verifying package signatures requires to import the public keys first:
{{rpm --import https://www.apache.org/dist/cassandra/KEYS}}

Afterwards the following command should report "OK" for included hashes and gpg signatures:
{{rpm -K cassandra-3.0.13-1.noarch.rpm}}

Once the RPM is signed, we can enable {{gpgcheck=1}} again for the repo config. If enabled,
both the import key and verification steps should take place automatically during installation
from the yum repo.

> Sign RPM artifacts
> ------------------
>
>                 Key: CASSANDRA-13440
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-13440
>             Project: Cassandra
>          Issue Type: Sub-task
>          Components: Packaging
>            Reporter: Stefan Podkowinski
>
> RPMs should be gpg signed just as the deb packages. Also add documentation how to verify
to download page.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message