Steve Lawrence created DAFFODIL-2294:
----------------------------------------
Summary: Sign RPM as part of release container
Key: DAFFODIL-2294
URL: https://issues.apache.org/jira/browse/DAFFODIL-2294
Project: Daffodil
Issue Type: Bug
Components: Infrastructure
Reporter: Steve Lawrence
We provide an RPM as a helper binary, and we provide public keys and an .asc
signature file that one can use to verify the RPM. However, RPM has the ability
embed a signature during the rpmbuild process via --sign process.
Unfortunately, it doesn't look like the sbt-native-packager plugin that we use
to build RPMs supports signing:
[https://github.com/sbt/sbt-native-packager/issues/162]
As an alternative, we should be able to install the {{rpmsign}} tool into our
release container and sign the RPM after it has been built. We should be able
to use the same key that we use for signing everything else, so hopefully it
should just be a matter of running that tool.
Once this is done, people should be able to import our public keys (e.g. rpm
--import ...) and then install our RPM with validation enabled.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
