Project

General

Profile

Actions
Copy link

Feature #4788

open

Plugin rpms not signed

Added by Glen Ogilvie about 10 years ago. Updated almost 4 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
RPMs
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

The RPM at:

http://yum.theforeman.org/plugins/latest/el6/x86_64/ruby193-rubygem-foreman_hooks-0.3.7-1.el6.noarch.rpm

has not been signed. I would expect it to be signed with the foreman GPG key.

Name        : ruby193-rubygem-foreman_hooks  Relocations: (not relocatable)
Version     : 0.3.7                             Vendor: Koji
Release     : 1.el6                         Build Date: Thu 27 Feb 2014 04:16:12 NZDT
Install Date: (not installed)               Build Host: koji.katello.org
Group       : Applications/System           Source RPM: ruby193-rubygem-foreman_hooks-0.3.7-1.el6.src.rpm
Size        : 40934                            License: GPLv3
Signature   : (none)
Packager    : Koji
URL         : http://github.com/theforeman/foreman_hooks
Summary     : Run custom hook scripts on Foreman events

Related issues 1 (0 open1 closed)

Has duplicate Packaging - Bug #21069: yum repo foreman-plugins installed with no securityDuplicateActions
Actions
Copy link
 #1

Updated by Dominic Cleal about 10 years ago

  • Project changed from Foreman to Packaging
  • Subject changed from ruby193-rubygem-foreman_hooks rpm not signed to Plugin rpms not signed
  • Category deleted (Packaging)

This is by design at the moment, as signing requires manual intervention and plugin RPM builds get automatically pushed. I'll see if there's any way we can automate it, or regularly do some manual signing.

Actions
Copy link
 #2

Updated by Dominic Cleal almost 9 years ago

  • Difficulty deleted (trivial)
Actions
Copy link
 #3

Updated by Aaron Copley almost 8 years ago

Dominic Cleal wrote:

This is by design at the moment, as signing requires manual intervention and plugin RPM builds get automatically pushed. I'll see if there's any way we can automate it, or regularly do some manual signing.

If you cannot sign the packages, you could consider enabling HTTPS in Yum repository baseurls provided by foreman-release? I notice that the Quick Start steps have you install foreman-release itself via HTTPS already. (Of course signing the RPM is still preferred.)

Actions
Copy link
 #4

Updated by Ewoud Kohl van Wijngaarden almost 6 years ago

We do have HTTPS enabled on yum.theforeman.org but don't use it by default in the repos. It should be easy to change the URLs as a first step. The hard part will be to figure out where we all use this but the foreman-release + the manual should cover most usages.

Actions
Copy link
 #5

Updated by Ewoud Kohl van Wijngaarden over 5 years ago

  • Has duplicate Bug #21069: yum repo foreman-plugins installed with no security added
Actions
Copy link
 #6

Updated by Ewoud Kohl van Wijngaarden over 5 years ago

Starting with c79747b4ae6e34fd69e9019b320a79347e263c71 (1.18) we do default to https in the release RPM. The puppet-foreman module will default to https starting 10.0.0. It doesn't solve this issue, but at least reduces its impact.

Actions
Copy link
 #7

Updated by Eric Helms about 4 years ago

  • Tracker changed from Bug to Feature
  • Priority changed from Low to Normal
Actions
Copy link
 #8

Updated by Zach Huntington-Meath almost 4 years ago

  • Triaged changed from No to Yes
Actions
Copy link
 #9

Updated by Zach Huntington-Meath almost 4 years ago

  • Category set to RPMs
Actions
Copy link

Also available in: Atom PDF