Repository: cassandra-builds Updated Branches: refs/heads/master 311046bf0 -> b15c7c055
Add package signing instructions Project: http://git-wip-us.apache.org/repos/asf/cassandra-builds/repo Commit: http://git-wip-us.apache.org/repos/asf/cassandra-builds/commit/b15c7c05 Tree: http://git-wip-us.apache.org/repos/asf/cassandra-builds/tree/b15c7c05 Diff: http://git-wip-us.apache.org/repos/asf/cassandra-builds/diff/b15c7c05 Branch: refs/heads/master Commit: b15c7c055226603790a2c5d57bd51516f8758db4 Parents: 311046b Author: Stefan Podkowinski <stefan.podkowin...@1und1.de> Authored: Wed Jun 28 15:50:59 2017 +0200 Committer: Stefan Podkowinski <stefan.podkowin...@1und1.de> Committed: Wed Jun 28 15:52:45 2017 +0200 ---------------------------------------------------------------------- README.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cassandra-builds/blob/b15c7c05/README.md ---------------------------------------------------------------------- diff --git a/README.md b/README.md index 3b77fdd..8bb85ee 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,36 @@ Packages for official releases can only be build from tags. In this case, the ta Builds based on any branch will use the version defined in either `build.xml` (RPM) or `debian/changes` (deb). Afterwards a snapshot indicator will be appended. +## Signing packages + +### RPM + +Signatures can be used for both yum repository integrity protection and end-to-end package verification. + +Providing a signature ([repomd.xml.asc](https://www.apache.org/dist/cassandra/redhat/311x/repodata/repomd.xml.asc)) for [repomd.xml](https://www.apache.org/dist/cassandra/redhat/311x/repodata/repomd.xml) allows clients to verify the repository's meta-data, as enabled by `repo_gpgcheck=1` in the yum config. + +Individual package files can also contain a signature in the RPM header. This can be done either during the build process (`rpmbuild --sign`) or afterwards on the final artifact. As the RPMs should be build using docker without any user intervention, we have to go with the later option here. One solution for this is to use the rpmsign wrapper (`yum install rpm-sign`) and use it on the package, e.g.: +```rpmsign -D '%_gpg_name MyAlias' --addsign cassandra-3.0.13-1.noarch.rpm``` + +Verifying package signatures requires to import the public keys first: + +``` +rpm --import https://www.apache.org/dist/cassandra/KEYS +``` + +Afterwards the following command should report "OK" for included hashes and gpg signatures: + +``` +rpm -K cassandra-3.0.13-1.noarch.rpm +``` + +Once the RPM is signed, both the import key and verification steps should take place automatically during installation from the yum repo (see `gpgcheck=1`). + +### Debian + +See use of `debsign` in `cassandra-release/prepare_release.sh`. + + ## Publishing packages TODO --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
