mirror of
https://github.com/gravitational/teleport
synced 2024-10-21 01:34:01 +00:00
Sign rpm repo metadata (#9027)
This helps support zypper on Suse, and improves our general RPM distribution security posture. The threat model is someone compromises AWS, but not our signing keys. In this case, they could update repo metatdata to point to an unsigned package. With metadata signed, this is no longer possible -- both the index and the package are verified. For more info on this change, see this very helpful blog post: https://blog.packagecloud.io/eng/2014/11/24/howto-gpg-sign-verify-rpm-packages-yum-repositories/
This commit is contained in:
parent
136642626d
commit
4e324e74e3
27
.drone.yml
27
.drone.yml
|
@ -5016,6 +5016,31 @@ steps:
|
|||
- yum -y install createrepo
|
||||
- createrepo --cachedir /rpmrepo/teleport/cache --update /rpmrepo/teleport
|
||||
|
||||
# This step requires centos:8 to get gpg 2.2+
|
||||
# centos:7's gpg 2.0 doesn't understand the format of GPG_RPM_SIGNING_ARCHIVE
|
||||
- name: Sign RPM repo metadata
|
||||
image: centos:8
|
||||
volumes:
|
||||
- name: rpmrepo
|
||||
path: /rpmrepo
|
||||
# for in-memory tmpfs for key material
|
||||
- name: tmpfs
|
||||
path: /tmpfs
|
||||
environment:
|
||||
GNUPGHOME: /tmpfs/gnupg
|
||||
GPG_RPM_SIGNING_ARCHIVE:
|
||||
from_secret: GPG_RPM_SIGNING_ARCHIVE
|
||||
commands:
|
||||
- |
|
||||
# extract signing key
|
||||
mkdir -m0700 $GNUPGHOME
|
||||
echo "$GPG_RPM_SIGNING_ARCHIVE" | base64 -d | tar -xzf - -C $GNUPGHOME
|
||||
chown -R root:root $GNUPGHOME
|
||||
# Sign rpm repo metadata (yum clients will automatically look for and verify repodata/repomd.xml.asc)
|
||||
- gpg --detach-sign --armor /rpmrepo/teleport/repodata/repomd.xml
|
||||
- cat /rpmrepo/teleport/repodata/repomd.xml.asc
|
||||
- rm -rf $GNUPGHOME
|
||||
|
||||
- name: Sync RPM repo changes to S3
|
||||
image: amazon/aws-cli
|
||||
environment:
|
||||
|
@ -5141,6 +5166,6 @@ volumes:
|
|||
name: drone-s3-debrepo-pvc
|
||||
---
|
||||
kind: signature
|
||||
hmac: 5024d8ffe4db0d734fcb1f1a2a22d3ae2078d270dbaac7900eca0db2d1448655
|
||||
hmac: 1473746cd33150de6ce4e6be53478ad6961414d1e34987d9eff4b3e17bcfe5a2
|
||||
|
||||
...
|
||||
|
|
Loading…
Reference in a new issue