-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: add gpg signing for RPM packages #3612
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And I want to make sure we don't break the dpkg installation.
https://aquasecurity.github.io/trivy/v0.38/getting-started/installation/#debianubuntu-official
goreleaser.yml
Outdated
- id: "gpg signing" | ||
artifacts: all | ||
signature: "${artifact}.gpg.sig" | ||
args: | ||
- "--batch" | ||
- "-u" | ||
- "{{ .Env.GPG_FINGERPRINT }}" | ||
- "--output" | ||
- "${signature}" | ||
- "--detach-sign" | ||
- "${artifact}" | ||
output: true | ||
stdin: '{{ .Env.GPG_PASSPHRASE }}' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need this signing? If I understand correctly, isn't it relevant to rpm?
docs/getting-started/installation.md
Outdated
enabled=1 | ||
gpgkey=https://aquasecurity.github.io/trivy-repo/deb/public.key |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we copy the key under trivy-repo/rpm
as it is currently located under trivy-repo/deb
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, it makes sence.
I copied the public key and have created a PR aquasecurity/trivy-repo#24
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Merged. Thanks.
I've created a PR aquasecurity/trivy-repo#25 but it should be merged after the first release with signed RPMs |
This reverts commit 67572df.
Description
Added inline signatures for
RPM
packages.we use custom configuration GoReleaser's nFPM, so we need to set
$NFPM_ID_RPM_PASSPHRASE
and$GPG_FILE
.Related issues
Closes #1384
Checklist