Sign packages #42

Closed
opened 2026-04-19 18:32:47 +02:00 by yestax · 4 comments
Owner

Use a gpg key to sign package apt/rpm

For RPM, dnf flags an error with default install procedure if packages are not signed.

Sign or document how to bypass (/etc/yum.repos.d/rpm.repo) gpgcheck

Use a gpg key to sign package apt/rpm For RPM, dnf flags an error with default install procedure if packages are not signed. Sign or document how to bypass (/etc/yum.repos.d/rpm.repo) gpgcheck
Author
Owner

apt doesn't trusts individual packages but checks repository metadata (Handled by getting the repo key see wiki)
rpm trusts per-package signatures so the user need to import the key inside the rpm database.

  • Generate a gpg key and upload it to the forgejo instance.
  • Setup package signing inside the container (need rpmsign)
  • Update wiki to install fedora packages
apt doesn't trusts individual packages but checks repository metadata (Handled by getting the repo key see wiki) rpm trusts per-package signatures so the user need to import the key inside the rpm database. - [x] Generate a gpg key and upload it to the forgejo instance. - [x] Setup package signing inside the container (need rpmsign) - [x] Update wiki to install fedora packages
Author
Owner

needs to import a key before installing package
rpm --import <key_file>

needs to import a key before installing package rpm --import <key_file>
yestax added this to the Setup v1.4.X milestone 2026-06-10 11:37:48 +02:00
Author
Owner

#109 build-package now able to sign packages

#109 build-package now able to sign packages
Author
Owner

the import should be done by the modification in the repo file (see wiki)

the import should be done by the modification in the repo file (see wiki)
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
yestax/setup#42
No description provided.