Scylla: Need to sign on our Ubuntu and Debian package
Need to sign on our Ubuntu package, otherwise user will get alert on apt-get like this:
WARNING: The following packages cannot be authenticated!
scylla-tools
Install these packages without verification? [y/N]
syuu1228
All 29 comments
Does this require a pgp key?
avikivity
on 27 Jan 2016
I think so.
I found an instruction on Ubuntu site: https://help.ubuntu.com/community/CreateAuthenticatedRepository
syuu1228
on 27 Jan 2016
Started to build Ubuntu 16.04 signed nightly build.
Can be test by following command on Ubuntu 16.04:
curl https://s3.amazonaws.com/downloads.scylladb.com/deb/unstable/scylladb.gpg.pubkey|sudo apt-key add -
cd /etc/apt/sources.list.d/
sudo curl -O https://s3.amazonaws.com/downloads.scylladb.com/deb/unstable/xenial/master/6/scylla.list
sudo apt update
sudo apt install scylla
15.10 as well
curl https://s3.amazonaws.com/downloads.scylladb.com/deb/unstable/scylladb.gpg.pubkey|sudo apt-key add -
cd /etc/apt/sources.list.d/
sudo curl -O https://s3.amazonaws.com/downloads.scylladb.com/deb/unstable/wily/master/2/scylla.list
sudo apt update
sudo apt install scylla
14.04 too
curl https://s3.amazonaws.com/downloads.scylladb.com/deb/unstable/scylladb.gpg.pubkey|sudo apt-key add -
cd /etc/apt/sources.list.d/
sudo curl -O https://s3.amazonaws.com/downloads.scylladb.com/deb/unstable/ubuntu/master/10/scylla.list
sudo apt update
sudo apt install scylla
@syuu1228 is it part of 1.2?
tzach
on 13 Jun 2016
no its not we are not signing the deb packages for 1.2 not for 14.04 nor
for 16.04
On Mon, Jun 13, 2016 at 9:16 AM, Tzach Livyatan [email protected]
wrote:
@syuu1228 https://github.com/syuu1228 is it part of 1.2?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/scylladb/scylla/issues/848#issuecomment-225497175,
or mute the thread
https://github.com/notifications/unsubscribe/ADThCBGof0hXF8CrIX4nGdeEQkT5F5Klks5qLPXDgaJpZM4HNMJK
.
slivne
on 13 Jun 2016
Confusing innocent users
https://twitter.com/loweschmidt/status/797006359694872576
tzach
on 12 Nov 2016
@tzach @slivne Guys, you need any help with it?
burdandrei
on 14 Nov 2016
A pointer to best practices maybe. Where to store the signing keys?
avikivity
on 14 Nov 2016
How do you guys build packages?
I had jenkins job building and signing it.
burdandrei
on 14 Nov 2016
We have a Jenkins job, but I'm wary of giving it the keys. It needs to be secure, or the signature is meaningless.
avikivity
on 14 Nov 2016
it's scary, but it's your build system =)
this worked to me: https://wiki.jenkins-ci.org/display/JENKINS/Debian+Package+Builder+Plugin
burdandrei
on 14 Nov 2016
Haha, I thought accepted practice might be to give your keys to some machine and hope.
I guess we'll have to do that.
avikivity
on 14 Nov 2016
@avikivity great!
You do that and we'll do chef cookbook for you!
Any time estimations?
burdandrei
on 14 Nov 2016
+1 for CentOS/RHEL Packages.
caizixian
on 23 Nov 2016
hey @avikivity how's going?
just wanted to say that i remembered another great option for packages - Launchpad PPA!
What do you say? cause it's nightmare to install scylla with unsigned package.
Cheers!
burdandrei
on 26 Jan 2017
+1 for PPA
caizixian
on 27 Jan 2017
@avikivity @syuu1228 any progress on this?
tzach
on 22 Feb 2017
+1
aptly makes it easy to maintain and publish your repo. You can run it from RHEL/CentOS too.
With any tool/approach you'll need to gpg-sign files, so having a passphrase-protected GPG private key on a server is probably the best you can aim for.
Also, with recent Debian/Ubuntu versions, you'll need to use SHA-256 for the gpg signature, so add this to ~/.gnupg/gpg.conf:
cert-digest-algo SHA256
digest-algo SHA256
mdevan
on 22 Feb 2017
@slivne I already created signed package generation script on Jenkins years a go, can I enable it (perhaps only on 1.8?)
syuu1228
on 13 Apr 2017
@slivne ping
syuu1228
on 26 Apr 2017
@syuu1228 we need to make sure:
- we know how to promote these packages (previous simple attempt failed).
- be able to rebuild them when we need to add minor versions fixes
- verify the key is good.
- I suggest we start with the non signed repo change and verify its good and then move and sign
slivne
on 9 May 2017
On Wed, May 10, 2017 at 1:06 AM, Shlomi Livne notifications@github.com
wrote:
@syuu1228 https://github.com/syuu1228 we need to make sure:
-
we know how to promote these packages (previous simple attempt failed).
-be able to rebuild them when we need to add minor versions fixes
-verify the key is good.
-I suggest we start with the non signed repo change and verify its good
and then move and signDoes it means we will switch to aptly, but with non-signed repo?
Where can we start with, maybe test it on master?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/scylladb/scylla/issues/848#issuecomment-300214212,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AALNYK0CwFbxyMwRJXC2TKm-Uf_mzx1Rks5r4I8TgaJpZM4HNMJK
.
syuu1228
on 9 May 2017
I am currently trying to install scylladb on a fresh Debian 8, and have this message when installing via apt-get:
WARNING: The following packages cannot be authenticated!
scylla-conf scylla-server scylla-jmx scylla-tools scylla-kernel-conf scylla
Install these packages without verification? [y/N]
Are your packages signed? Is there a way to retrieve the key to add it via apt-key?
tchemineau
on 29 Jun 2017
@syuu1228 any update on this issue?
tzach
on 14 Nov 2017
@syuu1228 ping
tzach
on 27 Nov 2017
Still an issue.
crow50
on 4 Dec 2017
In 2.1 the debian8 and ubuntu16.04 artifacts are signed - closing this issue
slivne
on 14 Jan 2018
Related issues
tzach
·
3Comments
amoskong
·
6Comments
duarten
·
5Comments
hellowaywewe
·
3Comments
amoskong
·
5Comments