Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Riak RPMs not GPG signed [JIRA: RIAK-1647] #714

Closed
danieldreier opened this issue Mar 25, 2015 · 5 comments
Closed

Riak RPMs not GPG signed [JIRA: RIAK-1647] #714

danieldreier opened this issue Mar 25, 2015 · 5 comments

Comments

@danieldreier
Copy link

The Riak RPM in the packagecloud yum repository is not GPG signed, so installing it requires that GPG validation be disabled. In the docs for using the yum repo a GPG key is linked to ("gpgkey=https://packagecloud.io/gpg.key") but gpgcheck is disabled ("gpgcheck=0") and so that key will never be used.

I think that packagecloud can sign these for you.

[root@puppetlabs-centos-6 riak2]# /usr/bin/yum -y install riak
Loaded plugins: fastestmirror, security
Setting up Install Process
Loading mirror speeds from cached hostfile
 * base: mirror.oss.ou.edu
 * extras: centos.host-engine.com
 * updates: centos.sonn.com
Resolving Dependencies
--> Running transaction check
---> Package riak.x86_64 0:2.0.5-1.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================================================================================
 Package                               Arch                                    Version                                        Repository                                   Size
================================================================================================================================================================================
Installing:
 riak                                  x86_64                                  2.0.5-1.el6                                    basho_riak                                   57 M

Transaction Summary
================================================================================================================================================================================
Install       1 Package(s)

Total size: 57 M
Installed size: 80 M
Downloading Packages:


Package riak-2.0.5-1.el6.x86_64.rpm is not signed
[root@puppetlabs-centos-6 riak2]# rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
gpg-pubkey-4bd6ec30-4c37bb40 --> gpg(Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>)
gpg-pubkey-c105b9de-4e0fd3a3 --> gpg(CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key@centos.org>)
gpg-pubkey-d59097ab-52d46e88 --> gpg(packagecloud ops (production key) <ops@packagecloud.io>)
@Basho-JIRA Basho-JIRA changed the title Riak RPMs not GPG signed Riak RPMs not GPG signed [JIRA: RIAK-1647] Mar 25, 2015
@Basho-JIRA Basho-JIRA assigned gcymbalski and unassigned ooshlablu Sep 8, 2015
@gcymbalski
Copy link
Contributor

They never have been.

Is this a new requirement?

On Sep 8, 2015, at 08:13, Basho JIRA bot! notifications@github.com wrote:

Assigned #714 to @gcymbalski.


Reply to this email directly or view it on GitHub.

@mbbroberg
Copy link

Hey @gcymbalski, this request is a valid new feature for us. It's certainly a standard in our industry. Thanks @danieldreier for opening it up. Our infrastructure team is building some pretty big projects of late so this may take a little while to address just so you know. Cheers! 🙇

@mbbroberg mbbroberg reopened this Oct 2, 2015
@danieldreier
Copy link
Author

thanks @mjbrender

@mbbroberg
Copy link

Hey @danieldreier - I guess I need to follow up on this elsewhere.

@danieldreier
Copy link
Author

thanks @mjbrender - it's probably worth noting that packagecloud (which basho currently uses) can sign packages for you. I don't know what your build pipeline looks like but it should be relatively straightforward to enable that step.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants