Linux package repositories

[directionless]

Who has access to the package repositories? How do they work. Etc.

Would we want to think about https://packagecloud.io/ or some other hosted entity?

Relates to: #4

[theopolis]

myself and @muffins are the only folks with write access to the package repositories. They are hosted in S3. I have a script that takes packages as input, places them into the right directory structure and performs various signing.

For macOS's pkg:

• Unpackage and sign the binaries using my certificate.
• Repackage and sign the pkg
• Upload to S3

For apt:

• Use https://github.com/freight-team/freight to create and maintain the repo, sign the debs
• Upload the resulting freight cache to S3

For yum:

• Use rpmsign to sign the rpms
• Use createrepo to manage the repo
• Upload the output directory tree to S3

[theopolis]

It would be fairly easy to create pipeline like:

Azure nightly builds packages -> uploads to S3

As well as an Azure pipeline that builds tags -> signs -> uploads to S3

[muffins]

For windows MSI and Chocolatey package:

• Build locally
• Use signtool.exe to sign osqueryd.exe, copy this to osqueryi.exe
• Use the .\tools\deployment\make_windows_package.ps1 to generate a .nupkg and .msi
• Sign using signtool.exe to sign the .msi
• Upload both to S3 and Chocolatey