Unsigned packages - plugins

Hello all,

Foreman-plugins in the yum repo are currently not signed.

Is that best-practice?

Dr Robert Mattson
Product Development
380 St Kilda Road,
Melbourne, Victoria, 3004
Australia

+61 3 9926 0000 phone
robert.mattson@harris.com<mailto:robert.mattson@harris.com>
www.c4i.com<http://www.c4i.com/>

I am concerned about this as well.
Can we get these packages signed?

Thank you!

I suppose the main reason is that signing is manual process and plugins are being built more often than core releases. Perhaps something worth exploring is, whether automatic signing would bring some value while it was easy to setup.

This is a very old issue (Bug #4788: Plugin rpms not signed - Packaging - Foreman). It can probably be done with a separate key from the manual signing but I can’t promise anything. IMHO it’s important as well for Katello since that relies on the plugin repo. The fact that’s GPG signed but a dependent repo isn’t makes signing it useless.