Closed CompPhy closed 4 years ago
@tcatut please help us help you by providing the set of steps you have take to arrive at this conclusion. PackageCloud does use its own keys for the packages it hosts. It also provides a set of tools but users also can hand craft a repo file.
We'd also appreciate a link to "our documentation" that was used.
Yum metadata and RPM packages can be signed using different keys. Our package is signed by our own signing key but the repository is signed by the PackageCloud key.
I have tried yum verify-rpm erlang
after adding and syncing with the PackageCloud repository:
# In /etc/yum.repos.d/rabbitmq_erlang.repo
[rabbitmq_erlang]
name=rabbitmq_erlang
baseurl=https://packagecloud.io/rabbitmq/erlang/el/7/$basearch
repo_gpgcheck=1
gpgcheck=0
enabled=1
gpgkey=https://packagecloud.io/rabbitmq/erlang/gpgkey
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300
[rabbitmq_erlang-source]
name=rabbitmq_erlang-source
baseurl=https://packagecloud.io/rabbitmq/erlang/el/7/SRPMS
repo_gpgcheck=1
gpgcheck=0
enabled=1
gpgkey=https://packagecloud.io/rabbitmq/erlang/gpgkey
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300
and both yum update
and yum verify-rpm
suggest that verification succeeded.
Apparently it's because I had gpgcheck
(of packages) disabled. The following lists both keys and seems to work:
[rabbitmq_erlang]
name=rabbitmq_erlang
baseurl=https://packagecloud.io/rabbitmq/erlang/el/7/$basearch
repo_gpgcheck=1
gpgcheck=1
enabled=1
gpgkey=https://packagecloud.io/rabbitmq/erlang/gpgkey
https://dl.bintray.com/rabbitmq/Keys/rabbitmq-release-signing-key.asc
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300
[rabbitmq_erlang-source]
name=rabbitmq_erlang-source
baseurl=https://packagecloud.io/rabbitmq/erlang/el/7/SRPMS
repo_gpgcheck=1
gpgcheck=0
enabled=1
gpgkey=https://packagecloud.io/rabbitmq/erlang/gpgkey
https://dl.bintray.com/rabbitmq/Keys/rabbitmq-release-signing-key.asc
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300
Your documentation for PackageCloud says that the RPM's are supported to be signed by the PackageCloud key at: https://packagecloud.io/rabbitmq/erlang/gpgkey
However, I just attempted to installed erlang-22.1.5-1.el7 and found that it's actually signed with your "release signing key" here: https://github.com/rabbitmq/signing-keys/releases/download/2.0/rabbitmq-release-signing-key.asc
This was easy enough to fix by putting the right GPG key on my machine, but you should fix the documentation to reflect the correct information.