[FEATURE] GPG Sign RPM and DEB packages

[nathanhruby]

Is your feature request related to a problem? Please describe. Our security folks are concerned about package integrity when installing terramate in our CI system. Their concerns is that without strong validation of packages, we leave ourselves open to supply chain attacks.

Describe the solution you'd like We'd love it if the packages created were GPG signed so we can install without having an approval in a number of places

Describe alternatives you've considered

• The terramate github action suffers a similar problem, it uses the github release but doesn't check the signatures file or signing
• We're probably going to use jaxxstorm/action-install-gh-release and submit a patch to check a checksum, but this requires a security review for the action

Additional context GoReleaser will do this if you add a sign: section to the nfpm: build and provide it a private key and passphrase, so this should allow you to work with DEBs and switch to repo_gpgcheck=false in the yum/dnf config

[i4ki]

Hi @nathanhruby

Thanks for reporting this! Yes, we are aware of the problem and it makes sense to improve this. We will check this GoReleaser option that you mentioned.

Let us know if you have other considerations.

[nathanhruby]

Thank you!