[Gluster-users] Gluster EPEL _5_ packages not signed

Grant Byers gbyers at indue.com.au
Fri Mar 7 04:30:34 UTC 2014


Hi Kaleb

Yes, it was just EL5. Apologies. I discovered this after I posted.

Are you sure yum is barfing on the signature? Yum on EL5 will barf if your repo uses anything stronger than sha1 (sha) for checksums. The default is sha256 when using createrepo to build the metadata.

FWIW, I sign all of our internal EL5 packages and have no problem at all. If it's not the repo itself, perhaps it is key strength. I'd be happy to test an RPM on EL5 if you're willing to sign it. Perhaps an --addsign?

Thanks,
Grant




-----Original Message-----
From: Kaleb Keithley [mailto:kkeithle at redhat.com] 
Sent: Friday, 7 March 2014 2:09 PM
To: Grant Byers
Cc: gluster-users at gluster.org
Subject: Re: [Gluster-users] Gluster EPEL _5_ packages not signed

 
> 
> I saw that this issue has been raised before for staging packages, but I'm
> wanting to bring to the attention of the relevant people/person that the
> LATEST Gluster stable packages are also not signed. There are no contact
> details within the package headers (see below), so I can't simply email the
> package maintainer. In any case, there can be zero trust placed in these
> packages. There is a GPG key assigned to the repo. Why not use it?
> 
> 
> 
> # rpm -qpi /var/www/html/repo/gluster-epel-5-x86_64/glusterfs-fuse-3.4.2-1.el5.x86_64.rpm
> 
>

First off, it's only the el5 RPMs that are not signed.

They aren't signed because YUM install of signed packages on RHEL5 and CentOS5 barfs on the signature.

If you know how to sign el5 packages so that yum doesn't barf, please share.

--

Kaleb



More information about the Gluster-users mailing list