Open juju4 opened 2 years ago
will check it, thanks.
@juju4 GitHub release page packages are not signed and MS Repo packages are signed, and it is by design at present. @deepakjain111
IMHO, design should be reevaluated at least for platforms where it is possible.
On Fedora/RHEL/Centos, as official repositories support it, enabling signature is not difficult and expected on hardened setup (CIS Benchmark, STIG - https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2018-11-28/finding/V-71979 for example)
Less common for Debian/Ubuntu as official repositories don't support it (debsig - 7.5.5 https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html)
Thanks @juju4 for suggestion. We will definitely consider it.
At least on Fedoral/RHEL with gpgcheck, but likely valid for other packages platform