[DAFFODIL-2294] Sign RPM as part of release container - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.6.0
Component/s: Infrastructure
Labels:
None

Description

We provide an RPM as a helper binary, and we provide public keys and an .asc signature file that one can use to verify the RPM. However, RPM has the ability embed a signature during the rpmbuild process via --sign process. Unfortunately, it doesn't look like the sbt-native-packager plugin that we use to build RPMs supports signing:

https://github.com/sbt/sbt-native-packager/issues/162

As an alternative, we should be able to install the rpmsign tool into our release container and sign the RPM after it has been built. We should be able to use the same key that we use for signing everything else, so hopefully it should just be a matter of running that tool.

Once this is done, people should be able to import our public keys (e.g. rpm --import ...) and then install our RPM with validation enabled.

Attachments

Activity

People

Assignee:: Steve Lawrence

Reporter:: Steve Lawrence

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 17/Mar/20 23:22

Updated:: 09/Apr/20 14:32

Resolved:: 20/Mar/20 17:35