[jira] [Commented] (CASSANDRA-14968) Investigate GPG signing of deb and rpm repositories via bintray
[ https://issues.apache.org/jira/browse/CASSANDRA-14968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16760645#comment-16760645 ] mck commented on CASSANDRA-14968: - [~mshuler], {quote}I personally would not upload my private key anywhere, regardless of what ASF's opinion on that might be{quote} You're correct in your opinion. The ASF forbids the private key that's used to even be stored on ASF hardware. It must be stored on your machine, and for it to be a machine you have full admin control over. http://www.apache.org/dev/release-signing.html#basic-facts http://www.apache.org/dev/release-distribution.html#sigs-and-sums > Investigate GPG signing of deb and rpm repositories via bintray > --- > > Key: CASSANDRA-14968 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14968 > Project: Cassandra > Issue Type: Bug >Reporter: Michael Shuler >Priority: Major > Labels: packaging > > Currently, the release manager uploads debian packages and built/signed > metadata to a generic bintray repository. Perhaps we could utilize the GPG > signing feature of the repository, post-upload, via the bintray GPG signing > feature. > https://www.jfrog.com/confluence/display/BT/Managing+Uploaded+Content#ManagingUploadedContent-GPGSigning > Depends on CASSANDRA-14967 -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-14968) Investigate GPG signing of deb and rpm repositories via bintray
[ https://issues.apache.org/jira/browse/CASSANDRA-14968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16750077#comment-16750077 ] Michael Shuler commented on CASSANDRA-14968: Keep it simple. We do 2 things with rpms: we sign the packages, we sign the repository metadata. I have no idea without testing in a scratch repo at bintray if those can be different signatures, if the existing rpm signature is overwritten, etc. What I did test was installing ignite from the instructions on their download page. The repository metadata is signed by bintray key, and yes, the metadata would need to be created after packages are upload, then that metadata would be signed by the bintray key after that step. > Investigate GPG signing of deb and rpm repositories via bintray > --- > > Key: CASSANDRA-14968 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14968 > Project: Cassandra > Issue Type: Bug >Reporter: Michael Shuler >Priority: Major > Labels: packaging > > Currently, the release manager uploads debian packages and built/signed > metadata to a generic bintray repository. Perhaps we could utilize the GPG > signing feature of the repository, post-upload, via the bintray GPG signing > feature. > https://www.jfrog.com/confluence/display/BT/Managing+Uploaded+Content#ManagingUploadedContent-GPGSigning > Depends on CASSANDRA-14967 -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-14968) Investigate GPG signing of deb and rpm repositories via bintray
[ https://issues.apache.org/jira/browse/CASSANDRA-14968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16738481#comment-16738481 ] Stefan Podkowinski commented on CASSANDRA-14968: So what we're currently doing is to add signatures at two places: as part of the package metadata and for the repository metadata. Handling the first is what confuses me the most at the moment. Take the RPMs for example: {code} rpm -K cassandra-3.11.3-1.noarch.rpm cassandra-3.11.3-1.noarch.rpm: digests SIGNATURES NOT OK rpm --import https://www.apache.org/dist/cassandra/KEYS rpm -K cassandra-3.11.3-1.noarch.rpm cassandra-3.11.3-1.noarch.rpm: digests signatures OK {code} As you can see, we can verify the signature that comes with the RPM by importing the KEYS file. But I couldn't get this to work for ignite at all. Even after importing both their own KEYS and the Bintray/JFrog key. {code} rpm --import KEYS ignite-key.asc rpm -K apache-ignite-2.7.0-1.noarch.rpm apache-ignite-2.7.0-1.noarch.rpm: digests SIGNATURES NOT OK {code} Maybe I'm just missing something here and the package can be installed just fine from the Bintray yum repo, even with gpgcheck=1. I wasn't able to test this directly yet. My question is, does Bintray do a debsign/rpmsign with their own key, after uploading an artifact? Or does it just create the dettached .asc signatures for packages and repo metadata? > Investigate GPG signing of deb and rpm repositories via bintray > --- > > Key: CASSANDRA-14968 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14968 > Project: Cassandra > Issue Type: Bug >Reporter: Michael Shuler >Priority: Major > Labels: packaging > > Currently, the release manager uploads debian packages and built/signed > metadata to a generic bintray repository. Perhaps we could utilize the GPG > signing feature of the repository, post-upload, via the bintray GPG signing > feature. > https://www.jfrog.com/confluence/display/BT/Managing+Uploaded+Content#ManagingUploadedContent-GPGSigning > Depends on CASSANDRA-14967 -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-14968) Investigate GPG signing of deb and rpm repositories via bintray
[ https://issues.apache.org/jira/browse/CASSANDRA-14968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16738342#comment-16738342 ] Michael Shuler commented on CASSANDRA-14968: The apache bintray organization for people to research: https://bintray.com/apache An example of an apache project using bintray for both rpm and deb repositories for people to research: https://ignite.apache.org/download.cgi#rpm-package https://ignite.apache.org/download.cgi#deb-package The deb repo for ignite: https://bintray.com/apache/ignite-deb/apache-ignite#files/dists%2Fapache-ignite Checking gpg signature on deb repo and metadata that apt/apt-get/aptitude clients use to verify integrity of install files, after downloading those files from bintray manually: {noformat} mshuler@hana:~/tmp$ ls -l apache-ignite_* -rw-r--r-- 1 mshuler mshuler 2154 Jan 9 09:30 apache-ignite_Packages -rw-r--r-- 1 mshuler mshuler 2679 Jan 9 09:18 apache-ignite_Release -rw-r--r-- 1 mshuler mshuler 821 Jan 9 09:15 apache-ignite_Release.gpg mshuler@hana:~/tmp$ mshuler@hana:~/tmp$ gpg apache-ignite_Release.gpg gpg: WARNING: no command supplied. Trying to guess what you mean ... Detached signature. Please enter name of data file: apache-ignite_Release gpg: Signature made Thu 06 Dec 2018 05:36:26 AM CST gpg:using RSA key 379CE192D401AB61 gpg: please do a --check-trustdb gpg: Good signature from "Bintray (by JFrog) " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8756 C4F7 65C9 AC3C B6B8 5D62 379C E192 D401 AB61 mshuler@hana:~/tmp$ mshuler@hana:~/tmp$ cat apache-ignite_Release Origin: Bintray Label: Bintray Suite: apache-ignite Codename: apache-ignite Date: Thu, 06 Dec 2018 11:36:25 UTC Components: main Architectures: amd64 i386 MD5Sum: d14dd7acdcef58e0e2948f808abb3a31 2154 main/binary-all/Packages c39c9e7aa83bbad644183f6debc02724 860 main/binary-all/Packages.bz2 29ebf0da941a3982a75772b16cf83ddd 706 main/binary-all/Packages.gz d14dd7acdcef58e0e2948f808abb3a31 2154 main/binary-amd64/Packages c39c9e7aa83bbad644183f6debc02724 860 main/binary-amd64/Packages.bz2 29ebf0da941a3982a75772b16cf83ddd 706 main/binary-amd64/Packages.gz d14dd7acdcef58e0e2948f808abb3a31 2154 main/binary-i386/Packages c39c9e7aa83bbad644183f6debc02724 860 main/binary-i386/Packages.bz2 29ebf0da941a3982a75772b16cf83ddd 706 main/binary-i386/Packages.gz SHA1: 44898d38972f335a1feacafb5454db519fa736e7 2154 main/binary-all/Packages 1c1a0dfe332475028497b971a0bb1afb88a417d5 860 main/binary-all/Packages.bz2 e332c6b43880cb4c26af408626748c702a230d10 706 main/binary-all/Packages.gz 44898d38972f335a1feacafb5454db519fa736e7 2154 main/binary-amd64/Packages 1c1a0dfe332475028497b971a0bb1afb88a417d5 860 main/binary-amd64/Packages.bz2 e332c6b43880cb4c26af408626748c702a230d10 706 main/binary-amd64/Packages.gz 44898d38972f335a1feacafb5454db519fa736e7 2154 main/binary-i386/Packages 1c1a0dfe332475028497b971a0bb1afb88a417d5 860 main/binary-i386/Packages.bz2 e332c6b43880cb4c26af408626748c702a230d10 706 main/binary-i386/Packages.gz SHA256: 6a7e79cd5a3619255d8f304a3870c66f8a58c9deca490b4a08ce2ae69a2b3c84 2154 main/binary-all/Packages dcc398c50f740ec627476c492702fd1fa21490b44fe88de64970a6f174d372f2 860 main/binary-all/Packages.bz2 0cac69595f66c9cebabcd36f4215aa31371241bebc57ae4a497a9fdc0c7a1d82 706 main/binary-all/Packages.gz 6a7e79cd5a3619255d8f304a3870c66f8a58c9deca490b4a08ce2ae69a2b3c84 2154 main/binary-amd64/Packages dcc398c50f740ec627476c492702fd1fa21490b44fe88de64970a6f174d372f2 860 main/binary-amd64/Packages.bz2 0cac69595f66c9cebabcd36f4215aa31371241bebc57ae4a497a9fdc0c7a1d82 706 main/binary-amd64/Packages.gz 6a7e79cd5a3619255d8f304a3870c66f8a58c9deca490b4a08ce2ae69a2b3c84 2154 main/binary-i386/Packages dcc398c50f740ec627476c492702fd1fa21490b44fe88de64970a6f174d372f2 860 main/binary-i386/Packages.bz2 0cac69595f66c9cebabcd36f4215aa31371241bebc57ae4a497a9fdc0c7a1d82 706 main/binary-i386/Packages.gz mshuler@hana:~/tmp$ mshuler@hana:~/tmp$ cat apache-ignite_Packages Package: apache-ignite Version: 2.5.0-1 Architecture: all Maintainer: Petr Ivanov Installed-Size: 431627 Depends: openjdk-8-jdk | oracle-java8-installer, systemd, passwd Section: misc Priority: optional Homepage: https://ignite.apache.org Description: Apache Ignite In-Memory Computing, Database and Caching Platform Ignite™ is a memory-centric distributed database, caching, and processing platform for
[jira] [Commented] (CASSANDRA-14968) Investigate GPG signing of deb and rpm repositories via bintray
[ https://issues.apache.org/jira/browse/CASSANDRA-14968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16738235#comment-16738235 ] Stefan Podkowinski commented on CASSANDRA-14968: How would you verify the integrity of builds that come with such bintray signatures, without reproducable builds? How would we make sure that only official releases will be signed with the uploaded key? > Investigate GPG signing of deb and rpm repositories via bintray > --- > > Key: CASSANDRA-14968 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14968 > Project: Cassandra > Issue Type: Bug >Reporter: Michael Shuler >Priority: Major > Labels: packaging > > Currently, the release manager uploads debian packages and built/signed > metadata to a generic bintray repository. Perhaps we could utilize the GPG > signing feature of the repository, post-upload, via the bintray GPG signing > feature. > https://www.jfrog.com/confluence/display/BT/Managing+Uploaded+Content#ManagingUploadedContent-GPGSigning > Depends on CASSANDRA-14967 -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-14968) Investigate GPG signing of deb and rpm repositories via bintray
[ https://issues.apache.org/jira/browse/CASSANDRA-14968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16737654#comment-16737654 ] Michael Shuler commented on CASSANDRA-14968: The apache organization there has a key - I don't know if it would be feasible to use the org key to sign the repositories? Individual users can upload public (and private (eww..)) keys and the API for bintray includes notes about signing via curl POST calls. I personally would not upload my private key anywhere, regardless of what ASF's opinion on that might be. Uploading a public key so the repo makes it available for download is pretty normal, then the signing portion (I guess) can be done offline(?) and uploaded. I don't know all the ins and outs of how it works. This is precisely why this ticket suggests investigating the topic. Is this something you would like assigned to you? > Investigate GPG signing of deb and rpm repositories via bintray > --- > > Key: CASSANDRA-14968 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14968 > Project: Cassandra > Issue Type: Bug >Reporter: Michael Shuler >Priority: Major > Labels: packaging > > Currently, the release manager uploads debian packages and built/signed > metadata to a generic bintray repository. Perhaps we could utilize the GPG > signing feature of the repository, post-upload, via the bintray GPG signing > feature. > https://www.jfrog.com/confluence/display/BT/Managing+Uploaded+Content#ManagingUploadedContent-GPGSigning > Depends on CASSANDRA-14967 -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-14968) Investigate GPG signing of deb and rpm repositories via bintray
[ https://issues.apache.org/jira/browse/CASSANDRA-14968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16737603#comment-16737603 ] mck commented on CASSANDRA-14968: - I don't think ASF permits/encourages shared (or even uploaded?) private keys? This needs to be checked. > Investigate GPG signing of deb and rpm repositories via bintray > --- > > Key: CASSANDRA-14968 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14968 > Project: Cassandra > Issue Type: Bug >Reporter: Michael Shuler >Priority: Major > Labels: packaging > > Currently, the release manager uploads debian packages and built/signed > metadata to a generic bintray repository. Perhaps we could utilize the GPG > signing feature of the repository, post-upload, via the bintray GPG signing > feature. > https://www.jfrog.com/confluence/display/BT/Managing+Uploaded+Content#ManagingUploadedContent-GPGSigning > Depends on CASSANDRA-14967 -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org