CentOs/Rhel RPM gpgcheck wrong key
223 views
Skip to first unread message
Antoine Tran
Oct 2, 2019, 7:23:30 AM10/2/19
to rabbitmq-users
Dear all,
Michael Klishin
Oct 2, 2019, 9:36:48 AM10/2/19
to rabbitmq-users
As explained in [1], PackageCloud uses its own GPG keys,
one per repository. We have no way of providing our own key.
That's also why PackageCloud have their own installation guides [2] on the repository page.
Antoine Tran
Oct 2, 2019, 10:45:37 AM10/2/19
to rabbitmq-users
Le mercredi 2 octobre 2019 15:36:48 UTC+2, Michael Klishin a écrit :
As explained in [1], PackageCloud uses its own GPG keys,one per repository. We have no way of providing our own key.
Thank you for the answer.
To my mind, a Yum repository that provides gpg key(s) and RPMs should have RPMs signed with one of the gpg key(s) to be consistent. If we agree to this best-practice principe, then because Rabbitmq cannot add a gpg key in PackageCloud, I suggest Rabbitmq to sign its RPMs both with rabbitmq gpg keys (the new and old one, as explained in Rabbitmq transition gpg key), and also to PackageCloud gpg key. This way, the same RPMs can be distributed from Rabbitmq or PackageCloud with gpgcheck enabled.
Moreover, if I follow the [1] link, I can understand that PackageCloud use its own gpg key, but nowhere it is said that we should be careful about a mismatch of Rabbitmq and PackageCloud gpg keys. On the contrary, this paragraph implies that the RPMs provided by PackageCloud are signed for its gpg key too, which it should.
Thank you!
Michael Klishin
Oct 2, 2019, 5:12:16 PM10/2/19
to rabbitmq-users
The package in question is distributed via GitHub, Bintray and PackageCloud. We cannot sign it with two keys,
so we use the standard RabbitMQ signing key. PackageCloud is an opinionated service that does things in a certain way.
GPG signing is one of the areas where it is different. You can install the package from Bintray or via a direct download
of the zero dependency RPM from GitHub.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/49b80534-6d29-42ca-92fb-c80411e782e0%40googlegroups.com.
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
Antoine Tran
Oct 7, 2019, 5:29:03 AM10/7/19
to rabbitmq-users
Thank you for your answer, sorry I thought we could sign with multiple keys a RPM.
However, the documention is misleading regarding this issue (source here):
Package Cloud signs distributed packages using their own GPG keys. As of late 2018 Package Cloud is undergoing a signing key migration. Instead of relying on a "master key", projects will migrate to use repository-specific signing keys. Before the migration is completed, both old and new key must be imported for forward compatibility:
# import the new PackageCloud key that will be used starting December 1st, 2018 (GMT)# import the old PackageCloud key that will be discontinued on December 1st, 2018 (GMT)rpm --import https://packagecloud.io/gpg.keyAfter importing both keys please follow the Package Cloud repository setup instructions.
This clearly says the gpg key is one of the two keys from PackageCloud, while it should be also added the Rabbitmq own key. I can see we can contribue to the doc, if that is ok for you, I might do a PR.
Le mercredi 2 octobre 2019 23:12:16 UTC+2, Michael Klishin a écrit :
The package in question is distributed via GitHub, Bintray and PackageCloud. We cannot sign it with two keys,so we use the standard RabbitMQ signing key. PackageCloud is an opinionated service that does things in a certain way.GPG signing is one of the areas where it is different. You can install the package from Bintray or via a direct downloadof the zero dependency RPM from GitHub.
On Wed, Oct 2, 2019 at 5:45 PM Antoine Tran <antoine...@gmail.com> wrote:
Le mercredi 2 octobre 2019 15:36:48 UTC+2, Michael Klishin a écrit :--As explained in [1], PackageCloud uses its own GPG keys,one per repository. We have no way of providing our own key.Thank you for the answer.To my mind, a Yum repository that provides gpg key(s) and RPMs should have RPMs signed with one of the gpg key(s) to be consistent. If we agree to this best-practice principe, then because Rabbitmq cannot add a gpg key in PackageCloud, I suggest Rabbitmq to sign its RPMs both with rabbitmq gpg keys (the new and old one, as explained in Rabbitmq transition gpg key), and also to PackageCloud gpg key. This way, the same RPMs can be distributed from Rabbitmq or PackageCloud with gpgcheck enabled.Moreover, if I follow the [1] link, I can understand that PackageCloud use its own gpg key, but nowhere it is said that we should be careful about a mismatch of Rabbitmq and PackageCloud gpg keys. On the contrary, this paragraph implies that the RPMs provided by PackageCloud are signed for its gpg key too, which it should.Thank you!
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitm...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/49b80534-6d29-42ca-92fb-c80411e782e0%40googlegroups.com.
Michael Klishin
Oct 7, 2019, 10:16:38 AM10/7/19
to rabbitmq-users
Fair enough. You can contribute on GitHub [1].
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/cb3382f6-7fe5-40d5-a2ec-06fe18fe9587%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages