Sign packages, turn on GPG verification

[lakshmi-kannan]

According to packagecloud, they only sign the package meta. The gpg verify is turned off on packages explicitly. I think we need to start signing those packages via st2-packages before shipping it to packagecloud. We also need to add a step in install script to download st2 gpg keys and install it. Also, figure out how to turn on gpg verification with packagecloud.

[StackStorm_stable]
name=StackStorm_stable
baseurl=https://packagecloud.io/StackStorm/stable/el/7/$basearch
repo_gpgcheck=1
gpgcheck=0
enabled=1
gpgkey=https://packagecloud.io/StackStorm/stable/gpgkey
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt

[StackStorm_stable-source]
name=StackStorm_stable-source
baseurl=https://packagecloud.io/StackStorm/stable/el/7/SRPMS
repo_gpgcheck=1
gpgcheck=0
enabled=1
gpgkey=https://packagecloud.io/StackStorm/stable/gpgkey
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt

[Kami]

Yeah, signing the packages with our key would be great.

[arm4b]

• 1. packagecloud does not appear to have the ability to enable gpgcheck (they say it's somehow tricky. Same with Bintray Bintray doesn't sign RPM packages #48)
• 2. packagecloud does not appear to have the ability to add our own gpg key (only for enterprise version)

According to http://blog.packagecloud.io/eng/2015/07/20/yum-repository-internals/

yum repository metatadata is structured as a series of XML files, that contain checksums of other files, and the packages to which they refer.

So the repo metadata is gpg signed, and file checksums are in that signed metadata. Looks not bad.

IF signing the metadata is NOT enough, then you need:

• 1. Having the package generator sign the packages at build time before uploading
• 2. Storing the gpg private key in CircleCI
• 3. Write our own script to install the packagecloud repo instead of using theirs. This could download our public key, install it, and enable gpg_signing (tricky)
• 4. Do that only for rpm, since deb is signed

[lakshmi-kannan]

@armab Yep, I was on their channel and someone else had the same questions. And yep, 1-4 is what I had in mind.

[arm4b]

Seems now it's possible to import own GPG key for repo, the PackageCloud feature announced in Jun, 2017: https://blog.packagecloud.io/eng/2017/06/08/announcing-package-signing-gpg-key-support/

With this, we can potentially sign the packages during the build with own key before uploading.

Note: this question was raised in #community Slack by Adobe

[lakshmi-kannan]

Awesome! We should do this ASAP. Bring this up as part of 18.04 support work we'll do.