-
-
Notifications
You must be signed in to change notification settings - Fork 152
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Signing #212
Comments
Before anyone starts implementing anything I want to say this: I know the |
So I took a quick look at our options and the situation looks rather different between the formats: DEB:There seem to be two incompatible schemes for signature creation/verficiation:
I found concise technical explanation of debsigs signature creation in the Arch wiki that says that we basically just need to concatenate However, according to this blog there seem to be 3 types of The RPM:It looks like we almost have an upstream solution via an APK:According to the Alpine wiki, signatures over General Considerations:So, we have 2 types of key material, We could accept Also, how do we support password protected The best way is probably to pass it as an environment variable, but that's hard to debug. If a signature is configured in the config files, will the build fail if the environment variable is unset? What are your thoughts on these points? |
Yeah, I agree the configs should be package-specific. About the signature, I would say either read from an environment variable or from a file, and its up to the user to secure their keys... specifically about apk, we can base the implementation in this pr: #126 |
Maybe I will start to implement some of this over the weekend to see how things go. This will probably still require some discussions. Maybe a WIP branch in this repo would be a good idea, or do you rather prefer a WIP-PR? EDIT: I already have the |
I implemented EDIT: nevermind, I found out that |
WIP PR is fine by me... if you think its best to have a temporary develop branch thats OK too, I think you have perms to create one :) |
@erikgeiser thanks a lot for this feature great work ;) |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
add support to signing packages (on all packagers):
The text was updated successfully, but these errors were encountered: