[
https://issues.apache.org/jira/browse/CASSANDRA-13440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15972550#comment-15972550
]
Stefan Podkowinski commented on CASSANDRA-13440:
------------------------------------------------
Signatures can be used for both repository transport integrity protection and
end-to-end content verification.
Providing a signature for {{repomd.xml}} allows clients to verify the
repository's meta-data. But you'll have to enable this by adding
{{repo_gpgcheck=1}} to the yum config.
Individual package files can also contain a signature in the RPM header. This
can be done either during the build process ({{rpmbuild --sign}}) or afterwards
on the final artifact. As the RPM should be build using docker and just create
the RPMs at the end without intervention, we probably have to go with the later
option here. I'd suggest to use the rpmsign wrapper ({{yum install rpm-sign}})
and use it on the package, e.g.:
{{rpmsign -D '%_gpg_name MyAlias' --addsign cassandra-3.0.13-1.noarch.rpm}}
Verifying package signatures requires to import the public keys first:
{{rpm --import https://www.apache.org/dist/cassandra/KEYS}}
Afterwards the following command should report "OK" for included hashes and gpg
signatures:
{{rpm -K cassandra-3.0.13-1.noarch.rpm}}
Once the RPM is signed, we can enable {{gpgcheck=1}} again for the repo config.
If enabled, both the import key and verification steps should take place
automatically during installation from the yum repo.
> Sign RPM artifacts
> ------------------
>
> Key: CASSANDRA-13440
> URL: https://issues.apache.org/jira/browse/CASSANDRA-13440
> Project: Cassandra
> Issue Type: Sub-task
> Components: Packaging
> Reporter: Stefan Podkowinski
>
> RPMs should be gpg signed just as the deb packages. Also add documentation
> how to verify to download page.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
