Sign packages on Bintray

[llarsson]

As noted in #1595, one is currently warned about unsigned packages when one installs via the Debian (and Ubuntu) repo. I have not tried any of the others. I would very much like the packages to be signed, should we deploy this in production.

W: The repository 'https://dl.bintray.com/mashape/kong-ubuntu-xenial-0.9.x xenial Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

[anderssynstad]

The behaviour of APT has changed in Ubuntu 16.04 where unsigned repositories are disabled by default. So while it was a Warning previously, it's now and Error.

In order to install Kong, one has to configure APT::Get::AllowUnauthenticated, but that is something one would like to avoid as it applies to all repositores.

So please sign the repositories. Seems to be something Bintray supports with not too much fuss, but guess it requires a premium plan.

EDIT: For clarification, Error vs Warning is a difference between the apt and apt-get commands. Also, adding the option trusted=yes to the repo configuration makes both apt and apt-get happy and is a configuration setting that only applies to the specific repository.

[udangel-r7]

+1 as this causes a lot of issues in deployments. https://www.jfrog.com/confluence/display/RTF/GPG+Signing provides a documentation how to enable it for artifactory (should probably be the same for bintray)

[zaherg]

any ETA for this ?

[bkuebler]

please do this it's simple.

Login in bintray go to your repository -> edit -> scroll down and click (GPG sign uploaded files using Bintray's public/private key pair)

This would be better than unsigned repos because nobody should do unsigned repos and on installation you will get troubles with the repo managers like apt / aptitude etc..

[Slm0n87]

+1 from my side, a proper deployment of that dpkg package is currently not possible due to that issue

[tanelso2]

Please do this. We would love to use Kong but it won't get past our security review if you continue using an unsigned repository

[udangel-r7]

we started to rehost this just to get around the unsigned package

[gdraque]

+1

[p0pr0ck5]

@shashiranjan84 this was fixed, right?

[shashiranjan84]

@p0pr0ck5 I have added changes to sign the repo, artifacts still would be unsigned. Change would visible from v0.11.

[karousn]

+1
if the proposition of @bkuebler work without any issue ..
@shashiranjan84 we want to install the latest version to compare Kong with the other open source .

[ghost]

@llarsson do you have an news?

[0xMAYANK]

Any ETA for this?

[fr33l]

just small reminder about this..

[dannykopping]

Any progress on this?

[hutchic]

resolved now