Closed nathanhruby closed 1 week ago
Hi @nathanhruby
Thanks for reporting this! Yes, we are aware of the problem and it makes sense to improve this. We will check this GoReleaser option that you mentioned.
Let us know if you have other considerations.
Thank you!
Is your feature request related to a problem? Please describe. Our security folks are concerned about package integrity when installing terramate in our CI system. Their concerns is that without strong validation of packages, we leave ourselves open to supply chain attacks.
Describe the solution you'd like We'd love it if the packages created were GPG signed so we can install without having an approval in a number of places
Describe alternatives you've considered
Additional context GoReleaser will do this if you add a
sign:
section to thenfpm:
build and provide it a private key and passphrase, so this should allow you to work with DEBs and switch torepo_gpgcheck=false
in the yum/dnf config