Riak RPMs not GPG signed [JIRA: RIAK-1647]

Question

Riak RPMs not GPG signed [JIRA: RIAK-1647]

danieldreier opened this issue 9 years ago · comments

The Riak RPM in the packagecloud yum repository is not GPG signed, so installing it requires that GPG validation be disabled. In the docs for using the yum repo a GPG key is linked to ("gpgkey=https://packagecloud.io/gpg.key") but gpgcheck is disabled ("gpgcheck=0") and so that key will never be used.

I think that packagecloud can sign these for you.

[root@puppetlabs-centos-6 riak2]# /usr/bin/yum -y install riak
Loaded plugins: fastestmirror, security
Setting up Install Process
Loading mirror speeds from cached hostfile
 * base: mirror.oss.ou.edu
 * extras: centos.host-engine.com
 * updates: centos.sonn.com
Resolving Dependencies
--> Running transaction check
---> Package riak.x86_64 0:2.0.5-1.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================================================================================
 Package                               Arch                                    Version                                        Repository                                   Size
================================================================================================================================================================================
Installing:
 riak                                  x86_64                                  2.0.5-1.el6                                    basho_riak                                   57 M

Transaction Summary
================================================================================================================================================================================
Install       1 Package(s)

Total size: 57 M
Installed size: 80 M
Downloading Packages:


Package riak-2.0.5-1.el6.x86_64.rpm is not signed
[root@puppetlabs-centos-6 riak2]# rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
gpg-pubkey-4bd6ec30-4c37bb40 --> gpg(Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>)
gpg-pubkey-c105b9de-4e0fd3a3 --> gpg(CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key@centos.org>)
gpg-pubkey-d59097ab-52d46e88 --> gpg(packagecloud ops (production key) <ops@packagecloud.io>)

Greg Cymbalski · Answer 1 · Tue Sep 08 2015 23:19:11 GMT+0800 (China Standard Time)

They never have been.

Is this a new requirement?

On Sep 8, 2015, at 08:13, Basho JIRA bot! notifications@github.com wrote:

Assigned #714 to @gcymbalski.

—
Reply to this email directly or view it on GitHub.

Matthew Broberg · Answer 2 · Sat Oct 03 2015 02:36:13 GMT+0800 (China Standard Time)

Hey @gcymbalski, this request is a valid new feature for us. It's certainly a standard in our industry. Thanks @danieldreier for opening it up. Our infrastructure team is building some pretty big projects of late so this may take a little while to address just so you know. Cheers! 🙇

Daniel Dreier · Answer 3 · Sat Oct 03 2015 03:38:13 GMT+0800 (China Standard Time)

thanks @mjbrender

Matthew Broberg · Answer 4 · Tue Oct 06 2015 03:32:10 GMT+0800 (China Standard Time)

Hey @danieldreier - I guess I need to follow up on this elsewhere.

Daniel Dreier · Answer 5 · Tue Oct 06 2015 03:44:31 GMT+0800 (China Standard Time)

thanks @mjbrender - it's probably worth noting that packagecloud (which basho currently uses) can sign packages for you. I don't know what your build pipeline looks like but it should be relatively straightforward to enable that step.