[RPM] GPG key require to download rpm package

open-telemetry / opentelemetry-collector-releases

OpenTelemetry Collector Official Releases

https://opentelemetry.io

Apache License 2.0

219 stars 130 forks source link

[RPM] GPG key require to download rpm package #424

Open bayramka opened 7 months ago

bayramka commented 7 months ago

Hi,

Oracle Linux 9 requires first importing GPG key before installing rpm package using ansible. Could you provide gpg key for releasing each rpm?

fatal: FAILED! => changed=false 
  msg: Failed to validate GPG signature for otelcol-contrib-0.85.0-1.x86_64

Thanks

atoulme commented 7 months ago

I don't think we currently sign our packages.

bayramka commented 7 months ago

could you please sign and share gpg key?

jpkrohling commented 2 weeks ago

Status: until cosign supports this, I don't think we'll implement. Creating, maintaining, and keeping a key secure is one of the reasons we decided to go with cosign.

If you want to verify the packages on your own, you can use cosign for that, but unfortunately, there's no way to use standard RPM tools for that (AFAIK).