Sign packages in mockbuild-repos and require signature validation

RESOLVED INCOMPLETE

Status

RESOLVED INCOMPLETE
4 years ago
6 months ago

People

(Reporter: dustin, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [RRA-eval])

We currently trust the RPMs provided on the mockbuild repos to be valid.  They're not directly modifiable by anyone but us, but as a backstop against accidental modification (e.g., by accidental disclosure of S3 credentials), we should additionally sign the packages and verify those signatures on every install.
Whiteboard: [RRA-eval]

Updated

2 years ago
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INCOMPLETE
(Assignee)

Updated

6 months ago
Component: General Automation → General
Product: Release Engineering → Release Engineering
You need to log in before you can comment on or make changes to this bug.