Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable GPG signatures for the RPM repo #5426

Open
dskrvk opened this issue Feb 8, 2020 · 9 comments
Open

Enable GPG signatures for the RPM repo #5426

dskrvk opened this issue Feb 8, 2020 · 9 comments
Labels
area/linux Linux distro related issues

Comments

@dskrvk
Copy link

dskrvk commented Feb 8, 2020

The RPM repo file has gpgcheck=0 since the releases there are currently not signed. This is a pretty serious security issue for anyone using SBT as part of their release process on an RHEL/CentOS machine. The corresponding Debian releases already include signatures. What would it take to enable them for RPM as well?

This is a follow-up to #2049. See also the post on secure RPM distribution originally linked in that issue.
@eed3si9n
Copy link
Member

eed3si9n commented Feb 9, 2020
edited

The repo file is generated by Bintray.

$ curl https://bintray.com/sbt/rpm/rpm
#bintray--sbt-rpm - packages by  from Bintray
[bintray--sbt-rpm]
name=bintray--sbt-rpm
baseurl=https://sbt.bintray.com/rpm
gpgcheck=0
repo_gpgcheck=0
enabled=1

*.asc files are there - https://sbt.bintray.com/rpm/sbt-1.3.8.rpm.asc, so I am not sure what I can do.

@eed3si9n eed3si9n added the area/linux Linux distro related issues label Feb 9, 2020
@eed3si9n
Copy link
Member

eed3si9n commented Feb 9, 2020

ok, so the article says there's a tool to add signature into the rpm file:

The rpmsign command to create the signature looks like this:

$ rpmsign -D '_gpg_name rpmsign@example.com' --addsign hello-2.10.1-1.el6.x86_64.rpm
Enter pass phrase:
Pass phrase is good.
hello-2.10.1-1.el6.x86_64.rpm:

This looks useful if we can automate it.

We'd still have the generated repo file problem.

@dskrvk
Copy link
Author

dskrvk commented Feb 9, 2020

What process generates this file?

@eed3si9n
Copy link
Member

The repo file is provided by Bintray.

@tomasherman
Copy link

👍 this is an issue for us aswell

@dskrvk
Copy link
Author

dskrvk commented Feb 26, 2020 via email

@eed3si9n
Copy link
Member

I just pinged Bintray. Let's see what they would say.

@SethTisue
Copy link
Member

with Bintray dead, is this still applicable?

@esamson
Copy link
Contributor

esamson commented Mar 7, 2023

Yes, I think it is still preferable to have GPG signed RPM. On Fedora, the sbt repo does not play well with the default tooling (Discovery on KDE) to get updates because it expects GPG signatures. That, plus the security issues pointed out earlier.

Checking the current repo:

$ curl -OL https://repo.scala-sbt.org/scalasbt/rpm/sbt-1.8.2.rpm
$ rpm -K sbt-1.8.2.rpm
sbt-1.8.2.rpm: digests OK

Package still has no signatures.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/linux Linux distro related issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tomasherman @esamson @SethTisue @eed3si9n @dskrvk