replication-manager icon indicating copy to clipboard operation
replication-manager copied to clipboard
verified publisher icon signal18

Signed/secured packages for CentOS

Open driskell opened this issue 5 years ago • 1 comments

Hello

I was just wondering if there are plans for signed/secured packages for CentOS.

Currently the guide at https://docs.signal18.io/installation/setup-instructions gives the following repository details:

# /etc/yum.repos.d/signal18.repo
[signal18]
name=Signal18 repositories
baseurl=http://repo.signal18.io/centos/$releasever/$basearch/
gpgcheck=0
enabled=1

This downloads over HTTP insecurely, (though I think the repo.signal18.io does have HTTPS), and the packages are unsigned.

# wget https://repo.signal18.io/centos/7/x86_64/replication-manager-1.1.3_6_gb40b-1.x86_64.rpm
--2020-07-27 10:27:20--  https://repo.signal18.io/centos/7/x86_64/replication-manager-1.1.3_6_gb40b-1.x86_64.rpm
Resolving repo.signal18.io (repo.signal18.io)... 188.165.226.85
Connecting to repo.signal18.io (repo.signal18.io)|188.165.226.85|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9604005 (9.2M) [application/x-redhat-package-manager]
Saving to: ‘replication-manager-1.1.3_6_gb40b-1.x86_64.rpm’

100%[===================================================================================================================================================================================================>] 9,604,005   4.17MB/s   in 2.2s

2020-07-27 10:27:22 (4.17 MB/s) - ‘replication-manager-1.1.3_6_gb40b-1.x86_64.rpm’ saved [9604005/9604005]
# rpm -q -i -p replication-manager-1.1.3_6_gb40b-1.x86_64.rpm
Name        : replication-manager
Epoch       : 1551368360
Version     : 1.1.3_6_gb40b
Release     : 1
Architecture: x86_64
Install Date: (not installed)
Group       : default
Size        : 43568476
License     : GPLv3
Signature   : (none)
Source RPM  : replication-manager-1.1.3_6_gb40b-1.src.rpm
Build Date  : Thu 28 Feb 2019 03:39:21 PM UTC
Build Host  : ci.signal18.io
Relocations : /
Packager    : [email protected]
Vendor      : [email protected]
URL         : http://example.com/no-uri-given
Summary     : Replication Manager for MariaDB and MySQL
Description :
Replication Manager for MariaDB and MySQL

Signature   : (none)

That explains the gpgcheck=0

I guess ideally the documentation would be updated to use HTTPS. But are there plans for the packages to be signed?

It does seem like Ubuntu packages are signed (albeit downloaded over HTTP, but when signed less of an issue).

Thanks

driskell avatar Jul 27 '20 10:07 driskell

Hi,

That's a good point, I can look at this.

tanji avatar Jul 28 '20 08:07 tanji