[jira] [Commented] (CASSANDRA-14968) Investigate GPG signing of deb and rpm repositories via bintray
[
https://issues.apache.org/jira/browse/CASSANDRA-14968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16760645#comment-16760645
]
mck commented on CASSANDRA-14968:
-
[~mshuler],
{quote}I personally would not upload my private key anywhere, regardless of
what ASF's opinion on that might be{quote}
You're correct in your opinion. The ASF forbids the private key that's used to
even be stored on ASF hardware. It must be stored on your machine, and for it
to be a machine you have full admin control over.
http://www.apache.org/dev/release-signing.html#basic-facts
http://www.apache.org/dev/release-distribution.html#sigs-and-sums
> Investigate GPG signing of deb and rpm repositories via bintray
> ---
>
> Key: CASSANDRA-14968
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14968
> Project: Cassandra
> Issue Type: Bug
>Reporter: Michael Shuler
>Priority: Major
> Labels: packaging
>
> Currently, the release manager uploads debian packages and built/signed
> metadata to a generic bintray repository. Perhaps we could utilize the GPG
> signing feature of the repository, post-upload, via the bintray GPG signing
> feature.
> https://www.jfrog.com/confluence/display/BT/Managing+Uploaded+Content#ManagingUploadedContent-GPGSigning
> Depends on CASSANDRA-14967
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-14968) Investigate GPG signing of deb and rpm repositories via bintray
[ https://issues.apache.org/jira/browse/CASSANDRA-14968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16750077#comment-16750077 ] Michael Shuler commented on CASSANDRA-14968: Keep it simple. We do 2 things with rpms: we sign the packages, we sign the repository metadata. I have no idea without testing in a scratch repo at bintray if those can be different signatures, if the existing rpm signature is overwritten, etc. What I did test was installing ignite from the instructions on their download page. The repository metadata is signed by bintray key, and yes, the metadata would need to be created after packages are upload, then that metadata would be signed by the bintray key after that step. > Investigate GPG signing of deb and rpm repositories via bintray > --- > > Key: CASSANDRA-14968 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14968 > Project: Cassandra > Issue Type: Bug >Reporter: Michael Shuler >Priority: Major > Labels: packaging > > Currently, the release manager uploads debian packages and built/signed > metadata to a generic bintray repository. Perhaps we could utilize the GPG > signing feature of the repository, post-upload, via the bintray GPG signing > feature. > https://www.jfrog.com/confluence/display/BT/Managing+Uploaded+Content#ManagingUploadedContent-GPGSigning > Depends on CASSANDRA-14967 -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-14968) Investigate GPG signing of deb and rpm repositories via bintray
[
https://issues.apache.org/jira/browse/CASSANDRA-14968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16738481#comment-16738481
]
Stefan Podkowinski commented on CASSANDRA-14968:
So what we're currently doing is to add signatures at two places: as part of
the package metadata and for the repository metadata. Handling the first is
what confuses me the most at the moment. Take the RPMs for example:
{code}
rpm -K cassandra-3.11.3-1.noarch.rpm
cassandra-3.11.3-1.noarch.rpm: digests SIGNATURES NOT OK
rpm --import https://www.apache.org/dist/cassandra/KEYS
rpm -K cassandra-3.11.3-1.noarch.rpm
cassandra-3.11.3-1.noarch.rpm: digests signatures OK
{code}
As you can see, we can verify the signature that comes with the RPM by
importing the KEYS file.
But I couldn't get this to work for ignite at all. Even after importing both
their own KEYS and the Bintray/JFrog key.
{code}
rpm --import KEYS ignite-key.asc
rpm -K apache-ignite-2.7.0-1.noarch.rpm
apache-ignite-2.7.0-1.noarch.rpm: digests SIGNATURES NOT OK
{code}
Maybe I'm just missing something here and the package can be installed just
fine from the Bintray yum repo, even with gpgcheck=1. I wasn't able to test
this directly yet.
My question is, does Bintray do a debsign/rpmsign with their own key, after
uploading an artifact? Or does it just create the dettached .asc signatures for
packages and repo metadata?
> Investigate GPG signing of deb and rpm repositories via bintray
> ---
>
> Key: CASSANDRA-14968
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14968
> Project: Cassandra
> Issue Type: Bug
>Reporter: Michael Shuler
>Priority: Major
> Labels: packaging
>
> Currently, the release manager uploads debian packages and built/signed
> metadata to a generic bintray repository. Perhaps we could utilize the GPG
> signing feature of the repository, post-upload, via the bintray GPG signing
> feature.
> https://www.jfrog.com/confluence/display/BT/Managing+Uploaded+Content#ManagingUploadedContent-GPGSigning
> Depends on CASSANDRA-14967
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-14968) Investigate GPG signing of deb and rpm repositories via bintray
[
https://issues.apache.org/jira/browse/CASSANDRA-14968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16738342#comment-16738342
]
Michael Shuler commented on CASSANDRA-14968:
The apache bintray organization for people to research:
https://bintray.com/apache
An example of an apache project using bintray for both rpm and deb repositories
for people to research:
https://ignite.apache.org/download.cgi#rpm-package
https://ignite.apache.org/download.cgi#deb-package
The deb repo for ignite:
https://bintray.com/apache/ignite-deb/apache-ignite#files/dists%2Fapache-ignite
Checking gpg signature on deb repo and metadata that apt/apt-get/aptitude
clients use to verify integrity of install files, after downloading those files
from bintray manually:
{noformat}
mshuler@hana:~/tmp$ ls -l apache-ignite_*
-rw-r--r-- 1 mshuler mshuler 2154 Jan 9 09:30 apache-ignite_Packages
-rw-r--r-- 1 mshuler mshuler 2679 Jan 9 09:18 apache-ignite_Release
-rw-r--r-- 1 mshuler mshuler 821 Jan 9 09:15 apache-ignite_Release.gpg
mshuler@hana:~/tmp$
mshuler@hana:~/tmp$ gpg apache-ignite_Release.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
Detached signature.
Please enter name of data file: apache-ignite_Release
gpg: Signature made Thu 06 Dec 2018 05:36:26 AM CST
gpg:using RSA key 379CE192D401AB61
gpg: please do a --check-trustdb
gpg: Good signature from "Bintray (by JFrog) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8756 C4F7 65C9 AC3C B6B8 5D62 379C E192 D401 AB61
mshuler@hana:~/tmp$
mshuler@hana:~/tmp$ cat apache-ignite_Release
Origin: Bintray
Label: Bintray
Suite: apache-ignite
Codename: apache-ignite
Date: Thu, 06 Dec 2018 11:36:25 UTC
Components: main
Architectures: amd64 i386
MD5Sum:
d14dd7acdcef58e0e2948f808abb3a31 2154 main/binary-all/Packages
c39c9e7aa83bbad644183f6debc02724 860 main/binary-all/Packages.bz2
29ebf0da941a3982a75772b16cf83ddd 706 main/binary-all/Packages.gz
d14dd7acdcef58e0e2948f808abb3a31 2154 main/binary-amd64/Packages
c39c9e7aa83bbad644183f6debc02724 860
main/binary-amd64/Packages.bz2
29ebf0da941a3982a75772b16cf83ddd 706 main/binary-amd64/Packages.gz
d14dd7acdcef58e0e2948f808abb3a31 2154 main/binary-i386/Packages
c39c9e7aa83bbad644183f6debc02724 860 main/binary-i386/Packages.bz2
29ebf0da941a3982a75772b16cf83ddd 706 main/binary-i386/Packages.gz
SHA1:
44898d38972f335a1feacafb5454db519fa736e7 2154
main/binary-all/Packages
1c1a0dfe332475028497b971a0bb1afb88a417d5 860
main/binary-all/Packages.bz2
e332c6b43880cb4c26af408626748c702a230d10 706
main/binary-all/Packages.gz
44898d38972f335a1feacafb5454db519fa736e7 2154
main/binary-amd64/Packages
1c1a0dfe332475028497b971a0bb1afb88a417d5 860
main/binary-amd64/Packages.bz2
e332c6b43880cb4c26af408626748c702a230d10 706
main/binary-amd64/Packages.gz
44898d38972f335a1feacafb5454db519fa736e7 2154
main/binary-i386/Packages
1c1a0dfe332475028497b971a0bb1afb88a417d5 860
main/binary-i386/Packages.bz2
e332c6b43880cb4c26af408626748c702a230d10 706
main/binary-i386/Packages.gz
SHA256:
6a7e79cd5a3619255d8f304a3870c66f8a58c9deca490b4a08ce2ae69a2b3c84
2154 main/binary-all/Packages
dcc398c50f740ec627476c492702fd1fa21490b44fe88de64970a6f174d372f2
860 main/binary-all/Packages.bz2
0cac69595f66c9cebabcd36f4215aa31371241bebc57ae4a497a9fdc0c7a1d82
706 main/binary-all/Packages.gz
6a7e79cd5a3619255d8f304a3870c66f8a58c9deca490b4a08ce2ae69a2b3c84
2154 main/binary-amd64/Packages
dcc398c50f740ec627476c492702fd1fa21490b44fe88de64970a6f174d372f2
860 main/binary-amd64/Packages.bz2
0cac69595f66c9cebabcd36f4215aa31371241bebc57ae4a497a9fdc0c7a1d82
706 main/binary-amd64/Packages.gz
6a7e79cd5a3619255d8f304a3870c66f8a58c9deca490b4a08ce2ae69a2b3c84
2154 main/binary-i386/Packages
dcc398c50f740ec627476c492702fd1fa21490b44fe88de64970a6f174d372f2
860 main/binary-i386/Packages.bz2
0cac69595f66c9cebabcd36f4215aa31371241bebc57ae4a497a9fdc0c7a1d82
706 main/binary-i386/Packages.gz
mshuler@hana:~/tmp$
mshuler@hana:~/tmp$ cat apache-ignite_Packages
Package: apache-ignite
Version: 2.5.0-1
Architecture: all
Maintainer: Petr Ivanov
Installed-Size: 431627
Depends: openjdk-8-jdk | oracle-java8-installer, systemd, passwd
Section: misc
Priority: optional
Homepage: https://ignite.apache.org
Description: Apache Ignite In-Memory Computing, Database and Caching Platform
Ignite™ is a memory-centric distributed database, caching, and processing
platform for
[jira] [Commented] (CASSANDRA-14968) Investigate GPG signing of deb and rpm repositories via bintray
[ https://issues.apache.org/jira/browse/CASSANDRA-14968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16738235#comment-16738235 ] Stefan Podkowinski commented on CASSANDRA-14968: How would you verify the integrity of builds that come with such bintray signatures, without reproducable builds? How would we make sure that only official releases will be signed with the uploaded key? > Investigate GPG signing of deb and rpm repositories via bintray > --- > > Key: CASSANDRA-14968 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14968 > Project: Cassandra > Issue Type: Bug >Reporter: Michael Shuler >Priority: Major > Labels: packaging > > Currently, the release manager uploads debian packages and built/signed > metadata to a generic bintray repository. Perhaps we could utilize the GPG > signing feature of the repository, post-upload, via the bintray GPG signing > feature. > https://www.jfrog.com/confluence/display/BT/Managing+Uploaded+Content#ManagingUploadedContent-GPGSigning > Depends on CASSANDRA-14967 -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-14968) Investigate GPG signing of deb and rpm repositories via bintray
[ https://issues.apache.org/jira/browse/CASSANDRA-14968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16737654#comment-16737654 ] Michael Shuler commented on CASSANDRA-14968: The apache organization there has a key - I don't know if it would be feasible to use the org key to sign the repositories? Individual users can upload public (and private (eww..)) keys and the API for bintray includes notes about signing via curl POST calls. I personally would not upload my private key anywhere, regardless of what ASF's opinion on that might be. Uploading a public key so the repo makes it available for download is pretty normal, then the signing portion (I guess) can be done offline(?) and uploaded. I don't know all the ins and outs of how it works. This is precisely why this ticket suggests investigating the topic. Is this something you would like assigned to you? > Investigate GPG signing of deb and rpm repositories via bintray > --- > > Key: CASSANDRA-14968 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14968 > Project: Cassandra > Issue Type: Bug >Reporter: Michael Shuler >Priority: Major > Labels: packaging > > Currently, the release manager uploads debian packages and built/signed > metadata to a generic bintray repository. Perhaps we could utilize the GPG > signing feature of the repository, post-upload, via the bintray GPG signing > feature. > https://www.jfrog.com/confluence/display/BT/Managing+Uploaded+Content#ManagingUploadedContent-GPGSigning > Depends on CASSANDRA-14967 -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-14968) Investigate GPG signing of deb and rpm repositories via bintray
[ https://issues.apache.org/jira/browse/CASSANDRA-14968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16737603#comment-16737603 ] mck commented on CASSANDRA-14968: - I don't think ASF permits/encourages shared (or even uploaded?) private keys? This needs to be checked. > Investigate GPG signing of deb and rpm repositories via bintray > --- > > Key: CASSANDRA-14968 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14968 > Project: Cassandra > Issue Type: Bug >Reporter: Michael Shuler >Priority: Major > Labels: packaging > > Currently, the release manager uploads debian packages and built/signed > metadata to a generic bintray repository. Perhaps we could utilize the GPG > signing feature of the repository, post-upload, via the bintray GPG signing > feature. > https://www.jfrog.com/confluence/display/BT/Managing+Uploaded+Content#ManagingUploadedContent-GPGSigning > Depends on CASSANDRA-14967 -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
