Hello all, I work with a tech company where we're trying to establish a pristine build environment for all of our products. As part of this, we are looking to create a Jenkins CI server from scratch using the most secure methods possible. This would be on an underlying CentOS 6.2 machine. From reading the guide on installing Jenkins on CentOS/RedHat I see that the package and the key are both obtained over http as -
wget -O /etc/yum.repos.d/jenkins.repo http://pkg.jenkins-ci.org/redhat/jenkins.repo and rpm --import http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key This raises possibilities of a Man-in-the-middle attack compromising the integrity of the repo or the key or both. To avoid this, is there a way to obtain the package and the key securely? This could either be over HTTPS, SFTP or by exchanging PGP keys with the owner and then transporting it over email. If there's a better place to post this question, please inform. Thanks, Abhijith -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
