Sign RPM files and provide public GPG key

[ameyer117]

Is your feature request related to a problem? Please describe. Currently, the Steampipe RPM distribution files are not signed with a GPG key. This poses a compliance issue for environments that must adhere to NIST 800-53 rev5 control CM-14 "Signed Components." This control requires that all software components be signed to ensure integrity and authenticity.

Describe the solution you'd like I would like the Steampipe project to sign their RPM distribution files with a GPG key. Additionally, the public GPG key used for signing should be provided to users for verification purposes. This will ensure that the RPM files can be verified for integrity and authenticity, thus meeting the requirements of NIST 800-53 rev5 control CM-14.

Describe alternatives you've considered An alternative would be to manually verify the integrity of the RPM files using checksums provided by the Steampipe project. However, this arguably does not provide the same level of assurance and convenience as GPG-signed RPM files. 3rd party auditor's may not accept checksum only verification in highly secure environments.

Additional context Implementing GPG signing for RPM distribution files will not only help in meeting compliance requirements but also enhance the overall security posture of the Steampipe software distribution process. Providing the public GPG key will allow users to easily verify the authenticity and integrity of the RPM files they download and install.

Useful links https://csf.tools/reference/nist-sp-800-53/r5/cm/cm-14/ https://access.redhat.com/articles/3359321 https://unix.stackexchange.com/questions/328601/rpmsign-with-cli-password-prompt https://rpmfusion.org/keys#Trusting_Package_Integrity

[pskrbasu]

@ameyer117 Thanks for flagging this. I will take a look into it, and update this thread.