GPG signatures for Varnish 4.1 respository
James Boyle
jboyle at quotient-inc.com
Fri Aug 24 20:40:04 UTC 2018
Hello,
I was wondering if the Varnish maintainers would consider adding GPG
signatures to the packages in the Varnish 4.1 repository
(https://packagecloud.io/varnishcache/varnish41/el/7/x86_64). It would
increase the level of confidence that those packages have not been
tampered with since being built. For custom repositories I maintain, it
is as simple as running the following in the appropriate directory after
the build process is complete, though, admittedly, I'm unfamiliar with
the build process in use on your side.
rpmsign -D '_gpg_name jboyle at quotient-inc.com' --addsign *.rpm
Also, I contacted the folks at packagecloud.io first -- they recommended
I share that they also have some support for GPG (public) keys. They
gave me this link:
https://blog.packagecloud.io/eng/2017/06/08/announcing-package-signing-gpg-key-support/
However, I'd most like to have signatures embedded in the packages so I
can set gpgcheck=1 in my yum repository configuration.
Thank you!
--James
More information about the varnish-misc
mailing list