Package signature

[rdunklau]

Hello,

Could you provide a GPG signature for your packages, or another mean of verifying their integrity before installing them ?

Thank you !

[RobAtticus]

Which packages in particular are missing GPG? All our Debian-based ones should be signed, but I suppose RPM and other platforms are missing.

[rdunklau]

I'm working with debian packages. I did not know that debian packages could embed their signature themselves.

However, it looks like the package is not signed, since debsigs --list doesn't return anything:

debsigs --list timescaledb-postgresql-10_0.9.2~debian9_amd64.deb
GPG signatures in timescaledb-postgresql-10_0.9.2~debian9_amd64.deb:
 *** NO ATTEMPT HAS BEEN MADE TO VERIFY THE LISTED SIGNATURES ***

[RobAtticus]

Interesting, I guess it's just the source packages that end up signed, I will investigate a way to improve this. Thanks!

[sander85]

5 years has passed and the RPMs are still not signed :unamused:

[Thulium-Drake]

@svenklemm @erimatnor @cevian Ping, can we please get an update on this? Multiple people have opened and/or mentioned this is a real problem for them (same goes for me).

https://www.timescale.com/forum/t/gpg-key-check-failed-for-unsigned-package/1250

[Thulium-Drake]

@NunoFilipeSantos Ping, can we get an update? :)

[thanasisk]

@Thulium-Drake hello there! This item is on my radar for the near future. I will keep you posted.

[Thulium-Drake]

@thanasisk any update? :-)

[thanasisk]

@thanasisk any update? :-)

Hello there, this is due in the immediate future (as in next few weeks)

[thanasisk]

@Thulium-Drake you prefer .deb or .rpm support to come first?

[Thulium-Drake]

@thanasisk We're currently running into this issue with RHEL, so I'd prefer RPM :-)

Thanks! :rocket: