[
https://issues.apache.org/jira/browse/DAFFODIL-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17061757#comment-17061757
]
Mike Beckerle commented on DAFFODIL-2294:
-----------------------------------------
Do we have a blog for Daffodil? This sort of thing, when implemented, is worth
a post.
> Sign RPM as part of release container
> -------------------------------------
>
> Key: DAFFODIL-2294
> URL: https://issues.apache.org/jira/browse/DAFFODIL-2294
> Project: Daffodil
> Issue Type: Bug
> Components: Infrastructure
> Reporter: Steve Lawrence
> Assignee: Steve Lawrence
> Priority: Major
> Fix For: 2.6.0
>
>
> We provide an RPM as a helper binary, and we provide public keys and an .asc
> signature file that one can use to verify the RPM. However, RPM has the
> ability embed a signature during the rpmbuild process via --sign process.
> Unfortunately, it doesn't look like the sbt-native-packager plugin that we
> use to build RPMs supports signing:
> [https://github.com/sbt/sbt-native-packager/issues/162]
> As an alternative, we should be able to install the {{rpmsign}} tool into our
> release container and sign the RPM after it has been built. We should be able
> to use the same key that we use for signing everything else, so hopefully it
> should just be a matter of running that tool.
> Once this is done, people should be able to import our public keys (e.g. rpm
> --import ...) and then install our RPM with validation enabled.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
