Uploaded image for project: 'Helm'
  1. Helm
  2. HELM-222

Sign RPM and DEB packages with GPG key

    XMLWordPrintable

    Details

    • Type: Story
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.0.2
    • Component/s: Build/Packaging
    • Labels:
      None

      Description

      In CircleCI we build the DEB and RPM packages with makedeb.js and makerpm.js. The signing for DEB and RPM is slightly different. Here some thoughts from my investigations:

      Debian packages

      The packages are already built and can be signed with the GPG key

      dpkg-sig -k <GPG ID> --sign builder <package-to-sign.deb>
      

      We can verify if the signing was successful with

      dpkg-sig --verify <package-to-sign.deb>
      

      RPM packages

      With RPM we have two options, during RPM build or we can add a signature to an existing RPM. If we use the way to add a the signature to an existing RPM, we can create a build-job after the RPMs and DEBs are created. We are free to set a filter to sign always or just for specific branches in the CircleCI config.

      rpm --addsign <package-to-sign.rpm>
      

      We can check the signing:

      rpm --checksig <package-to-sign.rpm>
      

      Acceptance:

      • We have control to build signed and usigned RPM and DEB packages
      • It is possible to run makedeb.js. and makerpm.js locally without the need to have a GPG key to sign packages for local builds

        Attachments

          Activity

            People

            Assignee:
            indigo Ronny Trommer
            Reporter:
            indigo Ronny Trommer
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Git Integration