search

rabbitmq / erlang-rpm

Latest Erlang/OTP releases packaged as a zero dependency RPM, just enough for running RabbitMQ
https://rabbitmq.com/install-rpm.html
Other
549 stars 117 forks source link

GPG signing key when consuming from PackageCloud #87

Closed CompPhy closed 4 years ago

CompPhy commented 4 years ago

Your documentation for PackageCloud says that the RPM's are supported to be signed by the PackageCloud key at: https://packagecloud.io/rabbitmq/erlang/gpgkey

However, I just attempted to installed erlang-22.1.5-1.el7 and found that it's actually signed with your "release signing key" here: https://github.com/rabbitmq/signing-keys/releases/download/2.0/rabbitmq-release-signing-key.asc

This was easy enough to fix by putting the right GPG key on my machine, but you should fix the documentation to reflect the correct information.

michaelklishin commented 4 years ago

@tcatut please help us help you by providing the set of steps you have take to arrive at this conclusion. PackageCloud does use its own keys for the packages it hosts. It also provides a set of tools but users also can hand craft a repo file.

We'd also appreciate a link to "our documentation" that was used.

michaelklishin commented 4 years ago

Yum metadata and RPM packages can be signed using different keys. Our package is signed by our own signing key but the repository is signed by the PackageCloud key.

I have tried yum verify-rpm erlang after adding and syncing with the PackageCloud repository:

# In /etc/yum.repos.d/rabbitmq_erlang.repo
[rabbitmq_erlang]
name=rabbitmq_erlang
baseurl=https://packagecloud.io/rabbitmq/erlang/el/7/$basearch
repo_gpgcheck=1
gpgcheck=0
enabled=1
gpgkey=https://packagecloud.io/rabbitmq/erlang/gpgkey
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300

[rabbitmq_erlang-source]
name=rabbitmq_erlang-source
baseurl=https://packagecloud.io/rabbitmq/erlang/el/7/SRPMS
repo_gpgcheck=1
gpgcheck=0
enabled=1
gpgkey=https://packagecloud.io/rabbitmq/erlang/gpgkey
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300

and both yum update and yum verify-rpm suggest that verification succeeded.

michaelklishin commented 4 years ago

Apparently it's because I had gpgcheck (of packages) disabled. The following lists both keys and seems to work:

[rabbitmq_erlang]
name=rabbitmq_erlang
baseurl=https://packagecloud.io/rabbitmq/erlang/el/7/$basearch
repo_gpgcheck=1
gpgcheck=1
enabled=1
gpgkey=https://packagecloud.io/rabbitmq/erlang/gpgkey
       https://dl.bintray.com/rabbitmq/Keys/rabbitmq-release-signing-key.asc
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300

[rabbitmq_erlang-source]
name=rabbitmq_erlang-source
baseurl=https://packagecloud.io/rabbitmq/erlang/el/7/SRPMS
repo_gpgcheck=1
gpgcheck=0
enabled=1
gpgkey=https://packagecloud.io/rabbitmq/erlang/gpgkey
       https://dl.bintray.com/rabbitmq/Keys/rabbitmq-release-signing-key.asc
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300