Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign packages, turn on GPG verification #303

Open
lakshmi-kannan opened this issue May 24, 2016 · 5 comments
Open

Sign packages, turn on GPG verification #303

lakshmi-kannan opened this issue May 24, 2016 · 5 comments
Labels
feature help wanted security

Comments

@lakshmi-kannan
Copy link
Contributor

According to packagecloud, they only sign the package meta. The gpg verify is turned off on packages explicitly. I think we need to start signing those packages via st2-packages before shipping it to packagecloud. We also need to add a step in install script to download st2 gpg keys and install it. Also, figure out how to turn on gpg verification with packagecloud.

[StackStorm_stable]
name=StackStorm_stable
baseurl=https://packagecloud.io/StackStorm/stable/el/7/$basearch
repo_gpgcheck=1
gpgcheck=0
enabled=1
gpgkey=https://packagecloud.io/StackStorm/stable/gpgkey
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt

[StackStorm_stable-source]
name=StackStorm_stable-source
baseurl=https://packagecloud.io/StackStorm/stable/el/7/SRPMS
repo_gpgcheck=1
gpgcheck=0
enabled=1
gpgkey=https://packagecloud.io/StackStorm/stable/gpgkey
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
@Kami
Copy link
Member

Kami commented May 24, 2016

Yeah, signing the packages with our key would be great.

@arm4b
Copy link
Member

arm4b commented May 24, 2016
edited
Loading

    1. packagecloud does not appear to have the ability to enable gpgcheck (they say it's somehow tricky. Same with Bintray Bintray doesn't sign RPM packages #48)
    1. packagecloud does not appear to have the ability to add our own gpg key (only for enterprise version)

According to http://blog.packagecloud.io/eng/2015/07/20/yum-repository-internals/

yum repository metatadata is structured as a series of XML files, that contain checksums of other files, and the packages to which they refer.

So the repo metadata is gpg signed, and file checksums are in that signed metadata. Looks not bad.

IF signing the metadata is NOT enough, then you need:

    1. Having the package generator sign the packages at build time before uploading
    1. Storing the gpg private key in CircleCI
    1. Write our own script to install the packagecloud repo instead of using theirs. This could download our public key, install it, and enable gpg_signing (tricky)
    1. Do that only for rpm, since deb is signed

@lakshmi-kannan
Copy link
Contributor Author

@armab Yep, I was on their channel and someone else had the same questions. And yep, 1-4 is what I had in mind.

@arm4b arm4b added the feature label Sep 3, 2018
@arm4b
Copy link
Member

arm4b commented Sep 3, 2018
edited
Loading

Seems now it's possible to import own GPG key for repo, the PackageCloud feature announced in Jun, 2017: https://blog.packagecloud.io/eng/2017/06/08/announcing-package-signing-gpg-key-support/

With this, we can potentially sign the packages during the build with own key before uploading.

Note: this question was raised in #community Slack by Adobe

@lakshmi-kannan
Copy link
Contributor Author

Awesome! We should do this ASAP. Bring this up as part of 18.04 support work we'll do.

@arm4b arm4b mentioned this issue Mar 11, 2019
Closed
6 tasks
@arm4b arm4b changed the title Packagecloud repos do not turn on gpg verification for packages. Sign packages, turn on GPG verification Mar 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature help wanted security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Kami @arm4b @lakshmi-kannan