New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sign RPM packages #15938
Comments
@donateur RPM packages packages a single binary and this binary has a minisign signature https://dl.minio.io/server/minio/release/linux-amd64/minio.RELEASE.2022-10-24T18-35-07Z.minisig Does this not suffice for security? |
Thank you for the fast reply! I was not familiar with this. While it does meet our needs, it will require us to come up with a custom validation method and we have to bypass an install warning about an unsigned RPM. If the RPMs were signed it would make validation fully automatic using the native tools. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 15 days if no further activity occurs. Thank you for your contributions. |
This is still an issue. Not supporting native package signing forces us to ignore a (good) security warning on installation. |
Thanks @harshavardhana - just saw you removed stale and added do-not-close labels |
I will be doing this once I am back from my travel. |
Is your feature request related to a problem? Please describe.
Thanks so much for providing packaged versions of MinIO, we have reasons not to run it in containers!
Currently we cannot be assured of the security of an RPM package provided by Minio, including the minio server itself and mcli, because the packages are unsigned. This means packages could be tampered with between them being built and installation on our systems.
Describe the solution you'd like
Please GPG sign the RPM packages built by MinIO (minio and mcli especially).
Describe alternatives you've considered
None - we need to use RHEL and for various reasons can't use containers.
Those reasons are mainly around simplicity so that MinIO can easily be recovered in the event of a major disaster. It stores our backups of our container systems like Kubernetes so needs to be recovered first.
Additional context
Note the "Signature" field below:
The text was updated successfully, but these errors were encountered: