GPG signed binaries

[JsizzleR]

It would be ideal to have the binaries GPG signed and subsequently verified in the suggested shell script: https://github.com/rstudio/r-builds#example-usage

https://www.rstudio.com/code-signing/

[lachlansimpson]

This came up in internal ticket #71907

[JsizzleR]

Requested by pro customer through support ticket, 73338

[kfeinauer]

Will chat with @bdeitte about transferring this issue over to https://github.com/rstudio/platform-team/issues

[atheriel]

Som digging into this yielded the following:

• Jon Yoder reported that our Jenkins environment should already contain our GPG key, but we would still need modify this repo to inject them into builds. We would need to confirm this can be done before starting on other implementation work.

• The tool we use for building RPM and DEB packages is fpm, which supports RPM signatures by passing --rpm-sign but does not have a Debian equivalent.

• Actually using RPM signatures requires setting up the build environment correctly. Red Hat has support documentation on this but it may differ slightly for other platforms.

• I think we can still sign Debian packages using dpkg-sig directly.

• We should also add a build step that verifies the signatures have been added correctly.

• We should start adding signature verification to internal consumers of these packages, such as the public Docker images we build from them.

[lachlansimpson]

Requested by Pro customer on internal ticket #74624

[atheriel]

Small update on this:

• Our SRE team is not comfortable exposing our corporate GPG key in a new location (namely, AWS SecretManager), which is the major roadblock to implementing this. However, if we are able to migrate builds to GitHub Actions it will be possible to make use of the GPG keys already stored there (at the organization level).

• Signing packages with fpm is fraught, but recent efforts to migrate to nFPM (Fix openSUSE 15.4 image build; begin replacing fpm with nFPM #136) will make it much easier to implement this if we ever solve the GPG key access issue.

[lachlansimpson]

Requested in ticket #84383

[ghost]

Another related request here: #85460 - The customer requests for a sha256 checksums.

[lachlansimpson]

This came up in ticket #100742

[JsizzleR]

This came up with a customer for ticket: 104591
They cannot use our R or Python binaries because they're not GPG-signed. This was a hard no for them, and they commented on their surprise that we're offering these without signing them.

It's forcing difficult discussions with the customer about compiling from source, or going against our best practices and using a RHEL-provided Python and R version.

[lachlansimpson]

Came up on this ticket: 108494