You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by sp...@apache.org on 2017/06/28 13:57:09 UTC

cassandra-builds git commit: Add package signing instructions

Repository: cassandra-builds
Updated Branches:
  refs/heads/master 311046bf0 -> b15c7c055


Add package signing instructions


Project: http://git-wip-us.apache.org/repos/asf/cassandra-builds/repo
Commit: http://git-wip-us.apache.org/repos/asf/cassandra-builds/commit/b15c7c05
Tree: http://git-wip-us.apache.org/repos/asf/cassandra-builds/tree/b15c7c05
Diff: http://git-wip-us.apache.org/repos/asf/cassandra-builds/diff/b15c7c05

Branch: refs/heads/master
Commit: b15c7c055226603790a2c5d57bd51516f8758db4
Parents: 311046b
Author: Stefan Podkowinski <st...@1und1.de>
Authored: Wed Jun 28 15:50:59 2017 +0200
Committer: Stefan Podkowinski <st...@1und1.de>
Committed: Wed Jun 28 15:52:45 2017 +0200

----------------------------------------------------------------------
 README.md | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cassandra-builds/blob/b15c7c05/README.md
----------------------------------------------------------------------
diff --git a/README.md b/README.md
index 3b77fdd..8bb85ee 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,36 @@ Packages for official releases can only be build from tags. In this case, the ta
 
 Builds based on any branch will use the version defined in either `build.xml` (RPM) or `debian/changes` (deb). Afterwards a snapshot indicator will be appended.
 
+##  Signing packages
+
+### RPM
+
+Signatures can be used for both yum repository integrity protection and end-to-end package verification.
+
+Providing a signature ([repomd.xml.asc](https://www.apache.org/dist/cassandra/redhat/311x/repodata/repomd.xml.asc)) for [repomd.xml](https://www.apache.org/dist/cassandra/redhat/311x/repodata/repomd.xml) allows clients to verify the repository's meta-data, as enabled by `repo_gpgcheck=1` in the yum config.
+
+Individual package files can also contain a signature in the RPM header. This can be done either during the build process (`rpmbuild --sign`) or afterwards on the final artifact. As the RPMs should be build using docker without any user intervention, we have to go with the later option here. One solution for this is to use the rpmsign wrapper (`yum install rpm-sign`) and use it on the package, e.g.:
+```rpmsign -D '%_gpg_name MyAlias' --addsign cassandra-3.0.13-1.noarch.rpm```
+
+Verifying package signatures requires to import the public keys first:
+
+```
+rpm --import https://www.apache.org/dist/cassandra/KEYS
+```
+
+Afterwards the following command should report "OK" for included hashes and gpg signatures:
+
+```
+rpm -K cassandra-3.0.13-1.noarch.rpm
+```
+
+Once the RPM is signed, both the import key and verification steps should take place automatically during installation from the yum repo (see `gpgcheck=1`).
+
+### Debian
+
+See use of `debsign` in `cassandra-release/prepare_release.sh`.
+
+
 ## Publishing packages
 
 TODO


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org