Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[yum] Add RPM signature check #225

Merged
merged 1 commit into from Oct 15, 2015

Conversation

Projects
None yet
3 participants
@elafarge
Copy link
Contributor

commented Sep 1, 2015

FIXME: Use HTTPs URL for both the key and the YUM repository as soon as
we're ready with that.

Etienne LAFARGE
[yum] Add RPM signature check
DO NOT MERGE BEFORE THE 5.5 RELEASE AND BEFORE WE ENABLE HTTPS ON OUR
YUM REPOSITORIES.

Use HTTPs URL for both the key and the YUM repository as soon as
we're ready with that.

@elafarge elafarge force-pushed the etienne/enable-rpm-gpg-check branch from 04dc08f to 14d5cf7 Sep 1, 2015

@yannmh

This comment has been minimized.

Copy link
Member

commented Sep 2, 2015

Succesfully tested with Kitchen on staging YUM repo. 👍

miketheman added a commit that referenced this pull request Oct 15, 2015

@miketheman miketheman merged commit 0687ddf into master Oct 15, 2015

3 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
coverage/coveralls Coverage remained the same at 100.0%
Details
@miketheman

This comment has been minimized.

Copy link
Collaborator

commented Oct 15, 2015

Our packages are now signed! Thanks @elafarge !

@miketheman miketheman deleted the etienne/enable-rpm-gpg-check branch Oct 15, 2015

@miketheman miketheman added the feature label Oct 15, 2015

@miketheman miketheman added this to the Next minor milestone Oct 15, 2015

miketheman added a commit that referenced this pull request Oct 15, 2015

Conditionally use HTTPS based on platform_version
Following #225.

CentOS 5 and earlier use an older version of yum, which embeds an older
version of M2Crypto, that when used against a modern cipher set (i.e. no
sslv3), fails when trying to retrieve the signing key with:

    ...
      File "/usr/lib64/python2.4/site-packages/M2Crypto/SSL/Connection.py",
line 167, in connect_ssl
        return m2.ssl_connect(self.ssl, self._timeout)
    M2Crypto.SSL.SSLError: sslv3 alert handshake failure

There doesn't seem to be any patches to update this behavior, so instead
switch on SSL for any system older than 6.x, continue to use http to
retrieve the key.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.