Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Varnish>
  3. Misc
GPG signatures for Varnish 4.1 respository
jboyle at quotient-inc
Aug 24, 2018, 1:40 PM
Post #1 of 1 (348 views)
Permalink
Hello,

I was wondering if the Varnish maintainers would consider adding GPG
signatures to the packages in the Varnish 4.1 repository
(https://packagecloud.io/varnishcache/varnish41/el/7/x86_64). It would
increase the level of confidence that those packages have not been
tampered with since being built. For custom repositories I maintain, it
is as simple as running the following in the appropriate directory after
the build process is complete, though, admittedly, I'm unfamiliar with
the build process in use on your side.

rpmsign -D '_gpg_name jboyle@quotient-inc.com' --addsign *.rpm

Also, I contacted the folks at packagecloud.io first -- they recommended
I share that they also have some support for GPG (public) keys.  They
gave me this link:
https://blog.packagecloud.io/eng/2017/06/08/announcing-package-signing-gpg-key-support/

However, I'd most like to have signatures embedded in the packages so I
can set gpgcheck=1 in my yum repository configuration.

Thank you!
--James

_______________________________________________
varnish-misc mailing list
varnish-misc@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal