Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: add gpg signing for RPM packages #3612

Merged
merged 10 commits into from
Mar 24, 2023
Merged

ci: add gpg signing for RPM packages #3612

merged 10 commits into from
Mar 24, 2023

Conversation

afdesk
Copy link
Contributor

@afdesk afdesk commented Feb 14, 2023
edited
Loading

Description

Added inline signatures for RPM packages.

we use custom configuration GoReleaser's nFPM, so we need to set $NFPM_ID_RPM_PASSPHRASE and $GPG_FILE.

Related issues

Closes #1384

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@afdesk afdesk mentioned this pull request Mar 21, 2023
Closed
@afdesk afdesk changed the title ci: add gpg signing for the packages ci: add gpg signing for the artifacts Mar 22, 2023
@afdesk afdesk marked this pull request as ready for review March 22, 2023 13:53
@afdesk afdesk requested a review from knqyf263 as a code owner March 22, 2023 13:53
knqyf263
knqyf263 reviewed Mar 22, 2023
View reviewed changes
Copy link
Collaborator

@knqyf263 knqyf263 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And I want to make sure we don't break the dpkg installation.
https://aquasecurity.github.io/trivy/v0.38/getting-started/installation/#debianubuntu-official

goreleaser.yml Outdated
Comment on lines 257 to 269
- id: "gpg signing"
artifacts: all
signature: "${artifact}.gpg.sig"
args:
- "--batch"
- "-u"
- "{{ .Env.GPG_FINGERPRINT }}"
- "--output"
- "${signature}"
- "--detach-sign"
- "${artifact}"
output: true
stdin: '{{ .Env.GPG_PASSPHRASE }}'
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this signing? If I understand correctly, isn't it relevant to rpm?

@afdesk afdesk changed the title ci: add gpg signing for the artifacts ci: add gpg signing for RPM packages Mar 23, 2023
@afdesk afdesk requested a review from knqyf263 March 23, 2023 14:58
knqyf263
knqyf263 reviewed Mar 23, 2023
View reviewed changes
docs/getting-started/installation.md Outdated
enabled=1
gpgkey=https://aquasecurity.github.io/trivy-repo/deb/public.key
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we copy the key under trivy-repo/rpm as it is currently located under trivy-repo/deb.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, it makes sence.
I copied the public key and have created a PR aquasecurity/trivy-repo#24

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Merged. Thanks.

.github/workflows/test.yaml Show resolved Hide resolved
@afdesk afdesk requested a review from knqyf263 March 23, 2023 18:17
@afdesk afdesk mentioned this pull request Mar 23, 2023
Closed
@afdesk
Copy link
Contributor Author

afdesk commented Mar 23, 2023

I've created a PR aquasecurity/trivy-repo#25

but it should be merged after the first release with signed RPMs

@knqyf263 knqyf263 merged commit 67572df into aquasecurity:main Mar 24, 2023
atombrella pushed a commit to atombrella/trivy that referenced this pull request Mar 25, 2023
@afdesk @atombrella
ci: add gpg signing for RPM packages (aquasecurity#3612)
92bfd0a
AnaisUrlichs pushed a commit to AnaisUrlichs/trivy that referenced this pull request Mar 27, 2023
@afdesk @AnaisUrlichs
ci: add gpg signing for RPM packages (aquasecurity#3612)
8f6f9bc
@knqyf263 knqyf263 mentioned this pull request Mar 31, 2023
Merged
6 tasks
knqyf263 added a commit to knqyf263/trivy that referenced this pull request Apr 1, 2023
@knqyf263
Revert "ci: add gpg signing for RPM packages (aquasecurity#3612)"
0c4cd95 
This reverts commit 67572df.
knqyf263 added a commit that referenced this pull request Apr 1, 2023
@knqyf263
chore: Revert "ci: add gpg signing for RPM packages (#3612)" (#3946)
a2f39a3 
This reverts commit 67572df.
@knqyf263 knqyf263 mentioned this pull request Apr 3, 2023
Closed
@knqyf263 knqyf263 mentioned this pull request Apr 14, 2023
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

@AnaisUrlichs AnaisUrlichs Awaiting requested review from AnaisUrlichs

@itaysk itaysk Awaiting requested review from itaysk

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Sign RPM packages
2 participants
@afdesk @knqyf263