rpm: Sign in-tree firefox RPM packages
Categories
(Release Engineering :: Release Automation, enhancement)
Tracking
(Not tracked)
People
(Reporter: eijebong, Assigned: eijebong)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
Signing RPMs would require specific support in Autograph, as RPM signatures are embedded in the package structure rather than detached. This isn't a trivial addition and there's no readily available tool we could use to avoid it.
The practical risk is limited: packages are served over HTTPS from a single origin (no mirrors).
|
||
Comment 1•6 days ago
•
|
||
there's no readily available tool
I'm unfamiliar with your CI, but they exist.
The practical risk is limited: packages are served over HTTPS from a single origin (no mirrors).
Unfortunately, it would prevent installation via GNOME Software and KDE Discover, which are the default handlers for .RPM files, when their respective desktop environments are installed. Unless the user utilises dnf5 or rpm-ostree (or rpm, I suppose), via the CLI, this means that the package may appear uninstallable.
|
Assignee | |
Comment 2•16 hours ago
|
||
|
||
Comment 3•13 hours ago
|
||
This is also a problem because the default rpm policy now is to reject unsigned packages, and various rpm commands break if unverified packages are installed while this policy configuration is in place.
For what it's worth, an incremental step would be to sign the repomd.xml and have the detached signature stored as repomd.xml.asc, then at least repo_gpgcheck=1 can be used.
Description
•