Sign RPM packages

[donateur]

Is your feature request related to a problem? Please describe.
Thanks so much for providing packaged versions of MinIO, we have reasons not to run it in containers!

Currently we cannot be assured of the security of an RPM package provided by Minio, including the minio server itself and mcli, because the packages are unsigned. This means packages could be tampered with between them being built and installation on our systems.

Describe the solution you'd like
Please GPG sign the RPM packages built by MinIO (minio and mcli especially).

Describe alternatives you've considered
None - we need to use RHEL and for various reasons can't use containers.
Those reasons are mainly around simplicity so that MinIO can easily be recovered in the event of a major disaster. It stores our backups of our container systems like Kubernetes so needs to be recovered first.

Additional context
Note the "Signature" field below:

# rpm -qi minio-20221020005509.0.0.x86_64.rpm
Name        : minio
Epoch       : 0
Version     : 20221020005509.0.0
Release     : 1
Architecture: x86_64
Install Date: (not installed)
Group       : Applications/File
Size        : 102855599
License     : AGPLv3
Signature   : (none)
Source RPM  : minio-20221020005509.0.0-1.src.rpm
Build Date  : Thu 20 Oct 2022 17:26:51 AEDT
Build Host  : d106dbc50cba
Relocations : (not relocatable)
Packager    : MinIO Development <dev@minio.io>
Vendor      : MinIO, Inc.
URL         : https://min.io
Summary     : MinIO is a High Performance Object Storage released under AGPLv3.
Description :
MinIO is a High Performance Object Storage released under AGPLv3.
It is API compatible with Amazon S3 cloud storage service. Use MinIO to build
high performance infrastructure for machine learning, analytics and application
data workloads.

[harshavardhana]

Currently we cannot be assured of the security of an RPM package provided by Minio, including the minio server itself and mcli, because the packages are unsigned. This means packages could be tampered with between them being built and installation on our systems.

@donateur RPM packages packages a single binary and this binary has a minisign signature https://dl.minio.io/server/minio/release/linux-amd64/minio.RELEASE.2022-10-24T18-35-07Z.minisig

Does this not suffice for security?

[donateur]

@donateur RPM packages packages a single binary and this binary has a minisign signature https://dl.minio.io/server/minio/release/linux-amd64/minio.RELEASE.2022-10-24T18-35-07Z.minisig

Thank you for the fast reply!

I was not familiar with this. While it does meet our needs, it will require us to come up with a custom validation method and we have to bypass an install warning about an unsigned RPM.
We're trying to automate the whole build process.

If the RPMs were signed it would make validation fully automatic using the native tools.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 15 days if no further activity occurs. Thank you for your contributions.

[donateur]

This is still an issue. Not supporting native package signing forces us to ignore a (good) security warning on installation.
Also the custom validation method will add work to maintaining these packages on RHEL. Could you please consider setting up automated signing of your RPM packages?

[donateur]

Thanks @harshavardhana - just saw you removed stale and added do-not-close labels

[harshavardhana]

I will be doing this once I am back from my travel.