Oats87
commented
2 years ago Jeffrey,
Sorry for the late response on this. The public key for the signed RPMs is at https://rpm.rancher.io/public.key
Closed JeffreyVdb closed 2 years ago
Oats87
commented
2 years ago Jeffrey,
Sorry for the late response on this. The public key for the signed RPMs is at https://rpm.rancher.io/public.key
dweomer
commented
2 years ago
I am trying to create a CI pipeline that downloads a certain RPM version from releases. There doesn't seem to be a way to verify the downloaded RPM. From the
drone.ymlfile I can see that there is a signing process for the RPM packages, but a public key isn't mentioned anywhere.There is a checksum file available for every release, but we cannot verify whether these hashes are generated by a trusted instance. For this we would need a signed signature file as well.
Perhaps I'm missing something.