Is there plans to sign the packages and provide repository hosting ?

CG_Foreau
CG_Foreau Posts: 4 New Member
edited March 7 in Linux Products

My use-case requires RPM packages for FSPM but this probably applies to other packaging formats and tools:

1 - The most pressing to me: do you plan to add RPM signing in the future (or packages in general) ? Most systems do not allow unsigned packages install as a rule and signing the packages in-house is a bit moronic as it changes the package's hash, which means that we loose the ability to verify that the package comes from F-Secure once we want to enforce its validation. See RedHat's website for instructions: https://access.redhat.com/articles/3359321 .

2 - Do you plan to host repositories ? This would truly ease updates as we could then refer to the online repository in our update scripts when offline / or in the configuration on-premise when online to get/install the latest version if we do not have version constraints.

Thanks,

Accepted Answer

  • Jamesch
    Jamesch Posts: 344 Moderator
    Answer ✓

    Hi,

    1) We do not send at the moment but will implement for future versions.

    2) And answer to hosting repos: no, not planned

    CG_Foreau

Answers

  • Jamesch
    Jamesch Posts: 344 Moderator

    Hi,

    I am currently checking this with our product team and shall get back to you.

    CG_Foreau
  • CG_Foreau
    CG_Foreau Posts: 4 New Member

    Hi,

    Do you have any update on this ?

  • Jamesch
    Jamesch Posts: 344 Moderator

    Hi,

    Apologies for the delayed response.

    We actually do send our deb and rpm packages for signing, and get some sig files back. We can implement this.

  • CG_Foreau
    CG_Foreau Posts: 4 New Member

    Thank you for the response.

    Is it already possible to download the public key that will be used to sign the packages ? If not, where will it be available ?

This discussion has been closed.