Uploaded image for project: 'Helm'
  1. Helm
  2. HELM-222

Sign RPM and DEB packages with GPG key

    XMLWordPrintable

Details

    • Story
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Fixed
    • None
    • 5.0.2
    • Build/Packaging
    • None

    Description

      In CircleCI we build the DEB and RPM packages with makedeb.js and makerpm.js. The signing for DEB and RPM is slightly different. Here some thoughts from my investigations:

      Debian packages

      The packages are already built and can be signed with the GPG key

      dpkg-sig -k <GPG ID> --sign builder <package-to-sign.deb>
      

      We can verify if the signing was successful with

      dpkg-sig --verify <package-to-sign.deb>
      

      RPM packages

      With RPM we have two options, during RPM build or we can add a signature to an existing RPM. If we use the way to add a the signature to an existing RPM, we can create a build-job after the RPMs and DEBs are created. We are free to set a filter to sign always or just for specific branches in the CircleCI config.

      rpm --addsign <package-to-sign.rpm>
      

      We can check the signing:

      rpm --checksig <package-to-sign.rpm>
      

      Acceptance:

      • We have control to build signed and usigned RPM and DEB packages
      • It is possible to run makedeb.js. and makerpm.js locally without the need to have a GPG key to sign packages for local builds

      Attachments

        Activity

          People

            indigo Ronny Trommer
            indigo Ronny Trommer
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.