To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Is there plans to sign the packages and provide repository hosting ?

Options
CG_Foreau
CG_Foreau W/ Alumni Posts: 3 Security Scout
edited March 2022 in Linux Products

My use-case requires RPM packages for FSPM but this probably applies to other packaging formats and tools:

1 - The most pressing to me: do you plan to add RPM signing in the future (or packages in general) ? Most systems do not allow unsigned packages install as a rule and signing the packages in-house is a bit moronic as it changes the package's hash, which means that we loose the ability to verify that the package comes from F-Secure once we want to enforce its validation. See RedHat's website for instructions: https://access.redhat.com/articles/3359321 .

2 - Do you plan to host repositories ? This would truly ease updates as we could then refer to the online repository in our update scripts when offline / or in the configuration on-premise when online to get/install the latest version if we do not have version constraints.

Thanks,

Best Answer

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 524 Moderator
    Options

    Hi,

    1) We do not send at the moment but will implement for future versions.

    2) And answer to hosting repos: no, not planned

Answers

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 524 Moderator
    Options

    Hi,

    I am currently checking this with our product team and shall get back to you.

  • CG_Foreau
    CG_Foreau W/ Alumni Posts: 3 Security Scout
    Options

    Hi,

    Do you have any update on this ?

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 524 Moderator
    Options

    Hi,

    Apologies for the delayed response.

    We actually do send our deb and rpm packages for signing, and get some sig files back. We can implement this.

  • CG_Foreau
    CG_Foreau W/ Alumni Posts: 3 Security Scout
    Options

    Thank you for the response.

    Is it already possible to download the public key that will be used to sign the packages ? If not, where will it be available ?

This discussion has been closed.