Feature #4788
open
Added by Glen Ogilvie almost 11 years ago.
Updated over 4 years ago.
Description
The RPM at:
http://yum.theforeman.org/plugins/latest/el6/x86_64/ruby193-rubygem-foreman_hooks-0.3.7-1.el6.noarch.rpm
has not been signed. I would expect it to be signed with the foreman GPG key.
Name : ruby193-rubygem-foreman_hooks Relocations: (not relocatable)
Version : 0.3.7 Vendor: Koji
Release : 1.el6 Build Date: Thu 27 Feb 2014 04:16:12 NZDT
Install Date: (not installed) Build Host: koji.katello.org
Group : Applications/System Source RPM: ruby193-rubygem-foreman_hooks-0.3.7-1.el6.src.rpm
Size : 40934 License: GPLv3
Signature : (none)
Packager : Koji
URL : http://github.com/theforeman/foreman_hooks
Summary : Run custom hook scripts on Foreman events
- Project changed from Foreman to Packaging
- Subject changed from ruby193-rubygem-foreman_hooks rpm not signed to Plugin rpms not signed
- Category deleted (
Packaging)
This is by design at the moment, as signing requires manual intervention and plugin RPM builds get automatically pushed. I'll see if there's any way we can automate it, or regularly do some manual signing.
- Difficulty deleted (
trivial)
Dominic Cleal wrote:
This is by design at the moment, as signing requires manual intervention and plugin RPM builds get automatically pushed. I'll see if there's any way we can automate it, or regularly do some manual signing.
If you cannot sign the packages, you could consider enabling HTTPS in Yum repository baseurls provided by foreman-release? I notice that the Quick Start steps have you install foreman-release itself via HTTPS already. (Of course signing the RPM is still preferred.)
We do have HTTPS enabled on yum.theforeman.org but don't use it by default in the repos. It should be easy to change the URLs as a first step. The hard part will be to figure out where we all use this but the foreman-release + the manual should cover most usages.
- Has duplicate Bug #21069: yum repo foreman-plugins installed with no security added
Starting with c79747b4ae6e34fd69e9019b320a79347e263c71 (1.18) we do default to https in the release RPM. The puppet-foreman module will default to https starting 10.0.0. It doesn't solve this issue, but at least reduces its impact.
- Tracker changed from Bug to Feature
- Priority changed from Low to Normal
- Triaged changed from No to Yes
Also available in: Atom
PDF