Sign packages, turn on GPG verification

StackStorm / st2-packages

StackStorm deb/rpm packages (automated docker build pipeline)

https://stackstorm.com/

27 stars 59 forks source link

Sign packages, turn on GPG verification #303

Open lakshmi-kannan opened 8 years ago

lakshmi-kannan commented 8 years ago

According to packagecloud, they only sign the package meta. The gpg verify is turned off on packages explicitly. I think we need to start signing those packages via st2-packages before shipping it to packagecloud. We also need to add a step in install script to download st2 gpg keys and install it. Also, figure out how to turn on gpg verification with packagecloud.

[StackStorm_stable]
name=StackStorm_stable
baseurl=https://packagecloud.io/StackStorm/stable/el/7/$basearch
repo_gpgcheck=1
gpgcheck=0
enabled=1
gpgkey=https://packagecloud.io/StackStorm/stable/gpgkey
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt

[StackStorm_stable-source]
name=StackStorm_stable-source
baseurl=https://packagecloud.io/StackStorm/stable/el/7/SRPMS
repo_gpgcheck=1
gpgcheck=0
enabled=1
gpgkey=https://packagecloud.io/StackStorm/stable/gpgkey
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt

Kami commented 8 years ago

Yeah, signing the packages with our key would be great.

arm4b commented 8 years ago

1. packagecloud does not appear to have the ability to enable gpgcheck (they say it's somehow tricky. Same with Bintray https://github.com/StackStorm/st2-packages/issues/48)
1. packagecloud does not appear to have the ability to add our own gpg key (only for enterprise version)

According to http://blog.packagecloud.io/eng/2015/07/20/yum-repository-internals/

yum repository metatadata is structured as a series of XML files, that contain checksums of other files, and the packages to which they refer.

So the repo metadata is gpg signed, and file checksums are in that signed metadata. Looks not bad.

IF signing the metadata is NOT enough, then you need:

1. Having the package generator sign the packages at build time before uploading
1. Storing the gpg private key in CircleCI
1. Write our own script to install the packagecloud repo instead of using theirs. This could download our public key, install it, and enable gpg_signing (tricky)
1. Do that only for rpm, since deb is signed

lakshmi-kannan commented 8 years ago

@armab Yep, I was on their channel and someone else had the same questions. And yep, 1-4 is what I had in mind.

arm4b commented 6 years ago

Seems now it's possible to import own GPG key for repo, the PackageCloud feature announced in Jun, 2017: https://blog.packagecloud.io/eng/2017/06/08/announcing-package-signing-gpg-key-support/

With this, we can potentially sign the packages during the build with own key before uploading.

Note: this question was raised in #community Slack by Adobe

lakshmi-kannan commented 6 years ago

Awesome! We should do this ASAP. Bring this up as part of 18.04 support work we'll do.