Riak RPMs not GPG signed [JIRA: RIAK-1647]
danieldreier opened this issue · comments
The Riak RPM in the packagecloud yum repository is not GPG signed, so installing it requires that GPG validation be disabled. In the docs for using the yum repo a GPG key is linked to ("gpgkey=https://packagecloud.io/gpg.key") but gpgcheck is disabled ("gpgcheck=0") and so that key will never be used.
I think that packagecloud can sign these for you.
[root@puppetlabs-centos-6 riak2]# /usr/bin/yum -y install riak
Loaded plugins: fastestmirror, security
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: mirror.oss.ou.edu
* extras: centos.host-engine.com
* updates: centos.sonn.com
Resolving Dependencies
--> Running transaction check
---> Package riak.x86_64 0:2.0.5-1.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================================================================================================================
Package Arch Version Repository Size
================================================================================================================================================================================
Installing:
riak x86_64 2.0.5-1.el6 basho_riak 57 M
Transaction Summary
================================================================================================================================================================================
Install 1 Package(s)
Total size: 57 M
Installed size: 80 M
Downloading Packages:
Package riak-2.0.5-1.el6.x86_64.rpm is not signed
[root@puppetlabs-centos-6 riak2]# rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
gpg-pubkey-4bd6ec30-4c37bb40 --> gpg(Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>)
gpg-pubkey-c105b9de-4e0fd3a3 --> gpg(CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key@centos.org>)
gpg-pubkey-d59097ab-52d46e88 --> gpg(packagecloud ops (production key) <ops@packagecloud.io>)
They never have been.
Is this a new requirement?
On Sep 8, 2015, at 08:13, Basho JIRA bot! notifications@github.com wrote:
Assigned #714 to @gcymbalski.
—
Reply to this email directly or view it on GitHub.
Hey @gcymbalski, this request is a valid new feature for us. It's certainly a standard in our industry. Thanks @danieldreier for opening it up. Our infrastructure team is building some pretty big projects of late so this may take a little while to address just so you know. Cheers! 🙇
thanks @mjbrender
Hey @danieldreier - I guess I need to follow up on this elsewhere.
thanks @mjbrender - it's probably worth noting that packagecloud (which basho currently uses) can sign packages for you. I don't know what your build pipeline looks like but it should be relatively straightforward to enable that step.