New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable GPG signatures for the RPM repo #5426
Comments
The repo file is generated by Bintray.
|
ok, so the article says there's a tool to add signature into the
This looks useful if we can automate it. We'd still have the generated repo file problem. |
What process generates this file? |
The repo file is provided by Bintray. |
👍 this is an issue for us aswell |
So there’s no way to contact them or affect the way the repo file is
structured?
…On Tue, Feb 25, 2020 at 9:01 AM Tomas Herman ***@***.***> wrote:
👍 this is an issue for us aswell
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#5426?email_source=notifications&email_token=AARJT2AJ3THBMLUOGK4RPBTREUQCPA5CNFSM4KR5YXQ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEM4CBEQ#issuecomment-590880914>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AARJT2C7CIZ62GUD7MEM7TDREUQCPANCNFSM4KR5YXQQ>
.
|
I just pinged Bintray. Let's see what they would say. |
with Bintray dead, is this still applicable? |
Yes, I think it is still preferable to have GPG signed RPM. On Fedora, the sbt repo does not play well with the default tooling (Discovery on KDE) to get updates because it expects GPG signatures. That, plus the security issues pointed out earlier. Checking the current repo:
Package still has no signatures. |
The RPM repo file has
gpgcheck=0
since the releases there are currently not signed. This is a pretty serious security issue for anyone using SBT as part of their release process on an RHEL/CentOS machine. The corresponding Debian releases already include signatures. What would it take to enable them for RPM as well?This is a follow-up to #2049. See also the post on secure RPM distribution originally linked in that issue.
The text was updated successfully, but these errors were encountered: