st2-packages icon indicating copy to clipboard operation
st2-packages copied to clipboard

Published 20 hours ago verified publisher icon StackStorm

Sign packages, turn on GPG verification

Open lakshmi-kannan opened this issue 8 years ago • 5 comments

According to packagecloud, they only sign the package meta. The gpg verify is turned off on packages explicitly. I think we need to start signing those packages via st2-packages before shipping it to packagecloud. We also need to add a step in install script to download st2 gpg keys and install it. Also, figure out how to turn on gpg verification with packagecloud.

[StackStorm_stable]
name=StackStorm_stable
baseurl=https://packagecloud.io/StackStorm/stable/el/7/$basearch
repo_gpgcheck=1
gpgcheck=0
enabled=1
gpgkey=https://packagecloud.io/StackStorm/stable/gpgkey
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt

[StackStorm_stable-source]
name=StackStorm_stable-source
baseurl=https://packagecloud.io/StackStorm/stable/el/7/SRPMS
repo_gpgcheck=1
gpgcheck=0
enabled=1
gpgkey=https://packagecloud.io/StackStorm/stable/gpgkey
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt

lakshmi-kannan avatar May 24 '16 04:05 lakshmi-kannan