Sign rpm packages
Fixes #1054 (closed)
Merge request reports
Activity
I guess we can place the public gpg key on the download page.
We need to test this out, builds are in https://dev.gitlab.org/gitlab/omnibus-gitlab/builds/130142
@twk3 didn't upload it anywhere yet, try this pubring.gpg
Edited by Marin Jankovski@marin Didn't seem to work for me:
sudo rpm --import pubring.gpg error: pubring.gpg: key 1 not an armored public key.
@twk3 bah! Thanks for checking, I guess something is wrong with the key. Will check it out at some point again.
Edited by Marin Jankovski@twk3 Could you try again with both CentOSs from https://dev.gitlab.org/gitlab/omnibus-gitlab/pipelines/20879 but using this key now pub.gpg?
@marin Works on Centos6, still not working on Centos7
rpm -Kv gitlab-ce-8.1.0%2Bgit.1157.fd8f655-rc1.ce.0.el7.x86_64.rpm gitlab-ce-8.1.0%2Bgit.1157.fd8f655-rc1.ce.0.el7.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID a9f444f4: NOKEY Header SHA1 digest: OK (15dbdfcda902f757412da19d86ed0401cf58b31d) V4 RSA/SHA1 Signature, key ID a9f444f4: NOKEY MD5 digest: OK (384cfdbb5c406a9e69e3a61bd19c44dc)
With https://dev.gitlab.org/gitlab/omnibus-gitlab/builds/138346 and public key:
CentOS 6
gitlab-ce-8.1.0+git.1157.fd8f655-rc1.ce.0.el6.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID c0207d21: OK Header SHA1 digest: OK (c879fe5f8b7cb30f9d558dfa6eeb4f2faff08b94) V4 RSA/SHA1 Signature, key ID c0207d21: OK MD5 digest: OK (340da2abf1c48e80a14341cfa10550a9) [root@localhost]# cat /etc/redhat-release CentOS release 6.7 (Final)
CentOS 7
gitlab-ce-8.1.0+git.1157.fd8f655-rc1.ce.0.el7.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID c0207d21: OK Header SHA1 digest: OK (e28c6876a68eb9f08034315f4d1efce6e3f24a14) V4 RSA/SHA1 Signature, key ID c0207d21: OK MD5 digest: OK (5d57cd67808df7a835181980c7cfda4b) [root@localhost ]# cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core)
Bingo?
So now to check how we could add this to be usable for everyone. Our package server currently only does repository gpg verification:
[gitlab_gitlab-ce] name=gitlab_gitlab-ce baseurl=https://packages.gitlab.com/gitlab/gitlab-ce/el/6/$basearch repo_gpgcheck=1 gpgcheck=0 enabled=1 gpgkey=https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey sslverify=1 sslcacert=/etc/pki/tls/certs/ca-bundle.crt metadata_expire=300
According to yum man page we can specify multiple keys like:
gpgkey=https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey https://packages.gitlab.com/gitlab/gitlab-ce/Anotherkey
and also enable
gpgcheck=1
.Now the question is whether this is configurable at our package server and will adding this break the existing installations (no reason why it would but needs to be checked).
Doesn't look like it according to https://packages.gitlab.com/app/gitlab/gitlab-ce/gpg . I will reach out to the support. => https://gitlab.zendesk.com/agent/tickets/34474
Edited by Marin Jankovski@twk3 I needed to regenerate the key and change some of the initial settings I've placed when creating the key.
mentioned in issue #1054 (closed)
mentioned in issue #2537 (closed)
mentioned in merge request !1752 (closed)
For those following, my work to include this feature out of the box with Omnibus itself is at omnibus!7 (merged)
mentioned in merge request !1771 (merged)
Closing because !1771 (merged) was merged.