Erlang RPMs are not signed

[ncjones]

I'm trying to install Rabbitmq and Erlang from the Package Cloud repos (https://packagecloud.io/rabbitmq/erlang/install#rpm). The erlang package cannot be installed unless I set "gpgcheck=0" in rabbitmq_erlang.repo because the RPM has not been signed.

The same is not true for the Rabbitmq RPM from Package Cloud; this has been signed and can be verified with the Rabbitmq release key (https://www.rabbitmq.com/rabbitmq-release-signing-key.asc).

For example, given I have imported the Rabbitmq release key (rpm --import https://www.rabbitmq.com/rabbitmq-release-signing-key.asc) and I have the following /etc/yum.repos.d/rabbitmq_erlang.repo file contents:

[rabbitmq_erlang]
name=rabbitmq_erlang
baseurl=https://packagecloud.io/rabbitmq/erlang/el/6/$basearch
repo_gpgcheck=1
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-packagecloud
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300

Then I expect that yum install -y erlang should succeed but instead I get the following error:

Package erlang-19.2.1-1.el6.x86_64.rpm is not signed

Apologies if this is posted in the wrong place. I couldn't see a way to report issues directly to the "rabbitmq/erlang" Package Cloud repo owners.

BTW, I prefer to use the Package Cloud repo because the Erlang Solutions one brings in too many unnecessary dependencies.

[michaelklishin]

This is the right place.

We currently do not sign Erlang RPM packages. We should.

On 24 Jan 2017, at 14:25, Nathan Jones notifications@github.com wrote:

I'm trying to install Rabbitmq and Erlang from the Package Cloud repos (https://packagecloud.io/rabbitmq/erlang/install#rpm). The erlang package cannot be installed unless I set "gpgcheck=0" in rabbitmq_erlang.repo because the RPM has not been signed.

The same is not true for the Rabbitmq RPM from Package Cloud; this has been signed and can be verified with the Rabbitmq release key (https://www.rabbitmq.com/rabbitmq-release-signing-key.asc).

For example, given I have imported the Rabbitmq release key (rpm --import https://www.rabbitmq.com/rabbitmq-release-signing-key.asc) and I have the following /etc/yum.repos.d/rabbitmq_erlang.repo file contents:

[rabbitmq_erlang] name=rabbitmq_erlang baseurl=https://packagecloud.io/rabbitmq/erlang/el/6/$basearch repo_gpgcheck=1 gpgcheck=1 enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-packagecloud sslverify=1 sslcacert=/etc/pki/tls/certs/ca-bundle.crt metadata_expire=300 Then I expect that yum install -y erlang should succeed but instead I get the following error:

Package erlang-19.2.1-1.el6.x86_64.rpm is not signed Apologies if this is posted in the wrong place. I couldn't see a way to report issues directly to the "rabbitmq/erlang" Package Cloud repo owners.

BTW, I prefer to use the Package Cloud repo because the Erlang Solutions one brings in too many unnecessary dependencies.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[michaelklishin]

As for other packages distributed via Package Cloud, it's a matter of publishing signatures together with packages. I need to investigate how that's done.

[michaelklishin]

Looks like Package Cloud assumes signing keys are managed out of band, which makes sense to me. So for rabbitmq-server package verification, see Signatures on rabbitmq.com.

[michaelklishin]

Err, by "out of band" I mean, signatures are not distributed together with packages. Package Cloud signs repository metadata with their own keys, for this Erlang RPM package, it can be obtained from this URL.

[michaelklishin]

More corrections: this package is NOT distributed via Erlang Solutions.

Package Cloud does not distribute 3rd party keys (or I cannot find much about it), so you need to use their repository keys, not the one from rabbitmq.com. As far as I can tell this is true for all repos on Package Cloud, not something specific to RabbitMQ or this RPM package.

Therefore this issue is about signing these packages with our own key only.

[dumbbell]

Packages are now signed with the RabbitMQ release signing key.

I updated the README with the new repository definition.

Thank you!