[CentOS-devel] Some way to validate SIG repo repodata (via HTTPS or GPG-signed repomd?)

Mon Feb 19 15:07:36 UTC 2018
Neal Gompa <ngompa13 at gmail.com>

On Mon, Feb 19, 2018 at 9:58 AM, Johnny Hughes <johnny at centos.org> wrote:
> On 02/12/2018 02:13 AM, Fabian Arrotin wrote:
>> On 08/02/18 17:45, Neal Gompa wrote:
>>> Hey,
>>>
>>> I've been trying to get the CentOS SIG repositories enabled in the
>>> openSUSE Build Service[1].
>>>
>>> Today, I started working with Adrian Schröter (who is CC'd to this
>>> email) on getting this done, and the issue right now is that there's
>>> no way to securely validate the repodata.
>>>
>>> OBS supports two ways:
>>>
>>> 1. Validating repodata from a mirror using the copy on the master
>>> server fetched through HTTPS.
>>>
>>> 2. Validating repodata through GPG-signed repodata (signed repomd.xml)
>>>
>>> While the base repositories do the latter, none of the repositories
>>> produced through CBS do, and _nothing_ currently does the former.
>>>
>>> Is there something that can be done to make this better so we can have
>>> nice things?
>>>
>>> Best regards,
>>> Neal
>>>
>>> [1]: https://progress.opensuse.org/issues/29568
>>>
>>
>> As option [2] is already in place for base distro (but not all arches),
>> maybe that's the way to do it for the other repositories (using
>> different GPG keys too).
>> @KB : is that something you can add in your script ?
>
> The signatures for repomd.txt.asc can either be done on the stand alone
> signing machines or as a gpg call if the rpms are signed by a gpg key on
> a local machine, etc.
>
> I have sent KB the methods currently used to do this for x86_64, i386,
> and aarch64.
>
> But, rather than building CentOS related things on OBS (which is fine if
> you want to do that, it is open source, so to each their own :D ) .. I
> think a better option might be (my own personal opinion, mind you) to
> have said 'nice things' become part of CentOS.org named space in a SIG
> and be built from git.centos.org and by the Community Build System for
> all users rather than have them go looking for those things outside the
> CentOS.org name space.  Then everyone using CentOS has access to them
> where they already know to look.
>

In this case, I'm trying to build packages for Fedora, CentOS/RHEL,
openSUSE, Ubuntu, and Debian using the same sources (using the same
spec file). OBS uniquely offers this capability. The CentOS CBS only
supports building for CentOS.

I have considered offering things through CBS, but I don't know what's
involved there...


-- 
真実はいつも一つ!/ Always, there's only one truth!