[jira] [Commented] (CASSANDRA-14968) Investigate GPG signing of deb and rpm repositories via bintray

Wed, 09 Jan 2019 09:51:30 -0800 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-14968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16738481#comment-16738481
 ] 

Stefan Podkowinski commented on CASSANDRA-14968:
------------------------------------------------

So what we're currently doing is to add signatures at two places: as part of 
the package metadata and for the repository metadata. Handling the first is 
what confuses me the most at the moment. Take the RPMs for example:

{code}
rpm -K cassandra-3.11.3-1.noarch.rpm
cassandra-3.11.3-1.noarch.rpm: digests SIGNATURES NOT OK
rpm --import https://www.apache.org/dist/cassandra/KEYS
rpm -K cassandra-3.11.3-1.noarch.rpm
cassandra-3.11.3-1.noarch.rpm: digests signatures OK
{code}

As you can see, we can verify the signature that comes with the RPM by 
importing the KEYS file. 

But I couldn't get this to work for ignite at all. Even after importing both 
their own KEYS and the Bintray/JFrog key.

{code}
rpm --import KEYS ignite-key.asc
rpm -K apache-ignite-2.7.0-1.noarch.rpm
apache-ignite-2.7.0-1.noarch.rpm: digests SIGNATURES NOT OK
{code}

Maybe I'm just missing something here and the package can be installed just 
fine from the Bintray yum repo, even with gpgcheck=1. I wasn't able to test 
this directly yet.

My question is, does Bintray do a debsign/rpmsign with their own key, after 
uploading an artifact? Or does it just create the dettached .asc signatures for 
packages and repo metadata? 



> Investigate GPG signing of deb and rpm repositories via bintray
> ---------------------------------------------------------------
>
>                 Key: CASSANDRA-14968
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-14968
>             Project: Cassandra
>          Issue Type: Bug
>            Reporter: Michael Shuler
>            Priority: Major
>              Labels: packaging
>
> Currently, the release manager uploads debian packages and built/signed 
> metadata to a generic bintray repository. Perhaps we could utilize the GPG 
> signing feature of the repository, post-upload, via the bintray GPG signing 
> feature.
> https://www.jfrog.com/confluence/display/BT/Managing+Uploaded+Content#ManagingUploadedContent-GPGSigning
>  Depends on CASSANDRA-14967



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to