Hello, I was wondering if the Varnish maintainers would consider adding GPG signatures to the packages in the Varnish 4.1 repository (https://packagecloud.io/varnishcache/varnish41/el/7/x86_64). It would increase the level of confidence that those packages have not been tampered with since being built. For custom repositories I maintain, it is as simple as running the following in the appropriate directory after the build process is complete, though, admittedly, I'm unfamiliar with the build process in use on your side.
rpmsign -D '_gpg_name [email protected]' --addsign *.rpm Also, I contacted the folks at packagecloud.io first -- they recommended I share that they also have some support for GPG (public) keys. They gave me this link: https://blog.packagecloud.io/eng/2017/06/08/announcing-package-signing-gpg-key-support/ However, I'd most like to have signatures embedded in the packages so I can set gpgcheck=1 in my yum repository configuration. Thank you! --James _______________________________________________ varnish-misc mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
