Sign RPM and DEB packages with GPG key
Description
Lucidchart Diagrams
Activity
Show:
Ronny Trommer March 6, 2020 at 12:45 PM
Merged to develop.
Fixed
Details
Assignee
Ronny TrommerRonny TrommerReporter
Ronny TrommerRonny TrommerComponents
Sprint
NoneFix versions
Priority
Major
Details
Details
Assignee
Ronny TrommerReporter
Ronny Trommer
Components
Sprint
None
Fix versions
Priority
MajorPagerDuty
PagerDuty Incident
PagerDuty
PagerDuty Incident
PagerDuty
PagerDuty Incident
Created February 13, 2020 at 8:36 AM
Updated March 6, 2020 at 12:45 PM
Resolved March 6, 2020 at 12:45 PM
In CircleCI we build the DEB and RPM packages with makedeb.js and makerpm.js. The signing for DEB and RPM is slightly different. Here some thoughts from my investigations:
Debian packages
The packages are already built and can be signed with the GPG key
We can verify if the signing was successful with
RPM packages
With RPM we have two options, during RPM build or we can add a signature to an existing RPM. If we use the way to add a the signature to an existing RPM, we can create a build-job after the RPMs and DEBs are created. We are free to set a filter to sign always or just for specific branches in the CircleCI config.
We can check the signing:
Acceptance:
We have control to build signed and usigned RPM and DEB packages
It is possible to run makedeb.js. and makerpm.js locally without the need to have a GPG key to sign packages for local builds