[ https://issues.apache.org/jira/browse/CASSANDRA-14968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16738481#comment-16738481 ]
Stefan Podkowinski commented on CASSANDRA-14968: ------------------------------------------------ So what we're currently doing is to add signatures at two places: as part of the package metadata and for the repository metadata. Handling the first is what confuses me the most at the moment. Take the RPMs for example: {code} rpm -K cassandra-3.11.3-1.noarch.rpm cassandra-3.11.3-1.noarch.rpm: digests SIGNATURES NOT OK rpm --import https://www.apache.org/dist/cassandra/KEYS rpm -K cassandra-3.11.3-1.noarch.rpm cassandra-3.11.3-1.noarch.rpm: digests signatures OK {code} As you can see, we can verify the signature that comes with the RPM by importing the KEYS file. But I couldn't get this to work for ignite at all. Even after importing both their own KEYS and the Bintray/JFrog key. {code} rpm --import KEYS ignite-key.asc rpm -K apache-ignite-2.7.0-1.noarch.rpm apache-ignite-2.7.0-1.noarch.rpm: digests SIGNATURES NOT OK {code} Maybe I'm just missing something here and the package can be installed just fine from the Bintray yum repo, even with gpgcheck=1. I wasn't able to test this directly yet. My question is, does Bintray do a debsign/rpmsign with their own key, after uploading an artifact? Or does it just create the dettached .asc signatures for packages and repo metadata? > Investigate GPG signing of deb and rpm repositories via bintray > --------------------------------------------------------------- > > Key: CASSANDRA-14968 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14968 > Project: Cassandra > Issue Type: Bug > Reporter: Michael Shuler > Priority: Major > Labels: packaging > > Currently, the release manager uploads debian packages and built/signed > metadata to a generic bintray repository. Perhaps we could utilize the GPG > signing feature of the repository, post-upload, via the bintray GPG signing > feature. > https://www.jfrog.com/confluence/display/BT/Managing+Uploaded+Content#ManagingUploadedContent-GPGSigning > Depends on CASSANDRA-14967 -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org