Open driskell opened 4 years ago
Hello
I was just wondering if there are plans for signed/secured packages for CentOS.
Currently the guide at https://docs.signal18.io/installation/setup-instructions gives the following repository details:
# /etc/yum.repos.d/signal18.repo [signal18] name=Signal18 repositories baseurl=http://repo.signal18.io/centos/$releasever/$basearch/ gpgcheck=0 enabled=1
This downloads over HTTP insecurely, (though I think the repo.signal18.io does have HTTPS), and the packages are unsigned.
# wget https://repo.signal18.io/centos/7/x86_64/replication-manager-1.1.3_6_gb40b-1.x86_64.rpm --2020-07-27 10:27:20-- https://repo.signal18.io/centos/7/x86_64/replication-manager-1.1.3_6_gb40b-1.x86_64.rpm Resolving repo.signal18.io (repo.signal18.io)... 188.165.226.85 Connecting to repo.signal18.io (repo.signal18.io)|188.165.226.85|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 9604005 (9.2M) [application/x-redhat-package-manager] Saving to: ‘replication-manager-1.1.3_6_gb40b-1.x86_64.rpm’ 100%[===================================================================================================================================================================================================>] 9,604,005 4.17MB/s in 2.2s 2020-07-27 10:27:22 (4.17 MB/s) - ‘replication-manager-1.1.3_6_gb40b-1.x86_64.rpm’ saved [9604005/9604005] # rpm -q -i -p replication-manager-1.1.3_6_gb40b-1.x86_64.rpm Name : replication-manager Epoch : 1551368360 Version : 1.1.3_6_gb40b Release : 1 Architecture: x86_64 Install Date: (not installed) Group : default Size : 43568476 License : GPLv3 Signature : (none) Source RPM : replication-manager-1.1.3_6_gb40b-1.src.rpm Build Date : Thu 28 Feb 2019 03:39:21 PM UTC Build Host : ci.signal18.io Relocations : / Packager : info@signal18.io Vendor : root@ci.signal18.io URL : http://example.com/no-uri-given Summary : Replication Manager for MariaDB and MySQL Description : Replication Manager for MariaDB and MySQL
Signature : (none)
That explains the gpgcheck=0
gpgcheck=0
I guess ideally the documentation would be updated to use HTTPS. But are there plans for the packages to be signed?
It does seem like Ubuntu packages are signed (albeit downloaded over HTTP, but when signed less of an issue).
Thanks
Hi,
That's a good point, I can look at this.
Hello
I was just wondering if there are plans for signed/secured packages for CentOS.
Currently the guide at https://docs.signal18.io/installation/setup-instructions gives the following repository details:
This downloads over HTTP insecurely, (though I think the repo.signal18.io does have HTTPS), and the packages are unsigned.
That explains the
gpgcheck=0
I guess ideally the documentation would be updated to use HTTPS. But are there plans for the packages to be signed?
It does seem like Ubuntu packages are signed (albeit downloaded over HTTP, but when signed less of an issue).
Thanks