search

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
10.77k stars 486 forks source link

Add GPG signatures for RPM packages #1698

Open Darin755 opened 6 months ago

Darin755 commented 6 months ago

Describe the problem When you use Gnome software it will complain that the RPM package isn't signed. This isn't the end of the world but it got me thinking about security and resistance to supply chain attacks. Having a GPG signed package should help to prevent a malicious update assuming that the key is properly protected.

To Reproduce

  1. Edit /etc/yum.repos.d/netbird.repo on Fedora to force GPG package checks.
  2. DNF can't continue as there isn't a GPG key

Expected behavior There should be a GPG key for RPM packages that DNF can use to verify packages. Here is a brief article about it: https://www.redhat.com/sysadmin/rpm-gpg-verify-packages

Are you using NetBird Cloud? This shouldn't matter

NetBird version Netbird 0.26.3

pappz commented 6 months ago

Hello @Darin755, Thank you for the report. We will work on it!