Package cloud - GPG signatures

"Generating and verfying GPG signatures is critical to establishing the authenticity of package objects and the repositories storing those objects." in package cloud

I was building an ansible role to download these package and noticed that in package cloud centos6
and package cloud centos7

gpgcheck=0

Can you please take a look?

[technoweenie]

Both of those have repo_gpgcheck=1. So that should verify Package Cloud through a gpg signature that they manage. Package Cloud doesn't let me upload my own gpg keys AFAIK, otherwise I would.

/cc @andyneff

[andyneff]

Tricky....

repo_gpgcheck Either '1' or '0'. This tells yum whether or not it should perform a GPG signature check on the repodata. When this is set in the [main] section it sets the default for all repositories. The default is '0'. [1]

Now, a little from packagecloudio

packagecloud will sign your repos with a GPG key. This means that anyone who uses your repo can be certain that the repo was generated by packagecloud. The install scripts we generate for your repos will automatically import our public GPG key allowing anyone who uses your packagecloud repo to verify that the repo's metadata has not been tampered with. [2]

Looks like packagecloud is trying to walk a fine "techinical" line saying they support gpg signing... The rpms have no gpg signature, only md5/sha1

[root@86d1d2c4ab19 /]# rpm -K git-lfs-1.1.0-1.el7.x86_64.rpm
git-lfs-1.1.0-1.el7.x86_64.rpm: sha1 md5 OK

There is a (now old) piece of code to sign the our packages (https://github.com/github/git-lfs/tree/master/docker#gpg-signing). I'll look into it a little to see if it is still functional.

However, even IF we did that.

1. packagecloud does not appear to have the ability to enable gpgcheck,
2. packagecloud does not appear to have the ability to add our own gpg public key

IF signing the metadata is NOT enough, I would have to suggest:

1. Having the package generator sign the packages at release time before uploading
2. Write our own script to install the packagecloud repo instead of using theirs. This could download our public key, install it, and enable gpg_signing...

HOWEVER...

Conclusion

yum repository metatadata is structured as a series of XML files, that contain checksums of other files, and the packages to which they refer. [3]

So the repo metadata is gpg signed, and the checksums are in that signed metadata. So it is my opinion that this is a good and secure solution, and we don't need to do anything further. But as is always the case with security, there is something more that CAN be done ;)

[technoweenie]

So the repo metadata is gpg signed, and the checksums are in that signed metadata. So it is my opinion that this is a good and secure solution, and we don't need to do anything further.

👍 Agreed. Closing this issue.