signal18 / replication-manager

Signal 18 repman - Replication Manager for MySQL / MariaDB / Percona Server
https://signal18.io/products/srm
GNU General Public License v3.0
658 stars 168 forks source link

Signed/secured packages for CentOS #305

Open driskell opened 4 years ago

driskell commented 4 years ago

Hello

I was just wondering if there are plans for signed/secured packages for CentOS.

Currently the guide at https://docs.signal18.io/installation/setup-instructions gives the following repository details:

# /etc/yum.repos.d/signal18.repo
[signal18]
name=Signal18 repositories
baseurl=http://repo.signal18.io/centos/$releasever/$basearch/
gpgcheck=0
enabled=1

This downloads over HTTP insecurely, (though I think the repo.signal18.io does have HTTPS), and the packages are unsigned.

# wget https://repo.signal18.io/centos/7/x86_64/replication-manager-1.1.3_6_gb40b-1.x86_64.rpm
--2020-07-27 10:27:20--  https://repo.signal18.io/centos/7/x86_64/replication-manager-1.1.3_6_gb40b-1.x86_64.rpm
Resolving repo.signal18.io (repo.signal18.io)... 188.165.226.85
Connecting to repo.signal18.io (repo.signal18.io)|188.165.226.85|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9604005 (9.2M) [application/x-redhat-package-manager]
Saving to: ‘replication-manager-1.1.3_6_gb40b-1.x86_64.rpm’

100%[===================================================================================================================================================================================================>] 9,604,005   4.17MB/s   in 2.2s

2020-07-27 10:27:22 (4.17 MB/s) - ‘replication-manager-1.1.3_6_gb40b-1.x86_64.rpm’ saved [9604005/9604005]
# rpm -q -i -p replication-manager-1.1.3_6_gb40b-1.x86_64.rpm
Name        : replication-manager
Epoch       : 1551368360
Version     : 1.1.3_6_gb40b
Release     : 1
Architecture: x86_64
Install Date: (not installed)
Group       : default
Size        : 43568476
License     : GPLv3
Signature   : (none)
Source RPM  : replication-manager-1.1.3_6_gb40b-1.src.rpm
Build Date  : Thu 28 Feb 2019 03:39:21 PM UTC
Build Host  : ci.signal18.io
Relocations : /
Packager    : info@signal18.io
Vendor      : root@ci.signal18.io
URL         : http://example.com/no-uri-given
Summary     : Replication Manager for MariaDB and MySQL
Description :
Replication Manager for MariaDB and MySQL
Signature   : (none)

That explains the gpgcheck=0

I guess ideally the documentation would be updated to use HTTPS. But are there plans for the packages to be signed?

It does seem like Ubuntu packages are signed (albeit downloaded over HTTP, but when signed less of an issue).

Thanks

tanji commented 4 years ago

Hi,

That's a good point, I can look at this.