BUG #16948: Packages not signed - Mailing list pgsql-bugs
| From | PG Bug reporting form |
|---|---|
| Subject | BUG #16948: Packages not signed |
| Date | |
| Msg-id | 16948-4e66275309cea117@postgresql.org Whole thread Raw |
| Responses |
Re: BUG #16948: Packages not signed
|
| List | pgsql-bugs |
The following bug has been logged on the website: Bug reference: 16948 Logged by: Karsten Lenz Email address: karsten.lenz@dbi-services.com PostgreSQL version: 13.2 Operating system: SLES 15SP2 Description: Now I've got an example with packages either signed by key with ID 1f16d2e1442df0f8 (postgres) or not signed at all. It looks like packages are not signed anymore for the latest versions/releases. From the Postgresql13 packages for SLES15 on https://download.postgresql.org/pub/repos/zypp/13/suse/sles-15.2-x86_64/ , not all packages are singed: SLES15_HOST:/var/cache/zypp/packages/artifactory:psqlsc-sles15-pgdg-13 # rpm -qp --qf '%{NAME}-%{VERSION}-%{RELEASE} (a)%{SIGPGP:pgpsig} (b)%{SIGGPG:pgpsig}\n' *.rpm pg_qualstats_13-2.0.2-2.sles15 (a)(none) (b)DSA/SHA1, Thu Nov 12 02:29:06 2020, Key ID 1f16d2e1442df0f8 pg_stat_kcache_13-2.2.0-1.sles15 (a)(none) (b)(none) postgresql13-13.2-1PGDG.sles15 (a)(none) (b)(none) postgresql13-contrib-13.2-1PGDG.sles15 (a)(none) (b)(none) postgresql13-libs-13.2-1PGDG.sles15 (a)(none) (b)(none) postgresql13-server-13.2-1PGDG.sles15 (a)(none) (b)(none) repmgr_13-5.2.1-2.sles15 (a)(none) (b)(none) Whereas for Postgres11, SLES12, all packages were signed ( https://download.postgresql.org/pub/repos/zypp/11/suse/sles-12.5-x86_64/ ): SLES12_HOST:~ # rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE} (a)%{SIGPGP:pgpsig} (b)%{SIGGPG:pgpsig}\n' | egrep "pg_|postg|repm" pg_qualstats11-1.0.6-1.sles12 (a)(none) (b)DSA/SHA1, Fri Nov 9 00:23:20 2018, Key ID 1f16d2e1442df0f8 postgresql11-server-11.9-1PGDG.sles12 (a)(none) (b)DSA/SHA1, Thu Aug 13 16:02:50 2020, Key ID 1f16d2e1442df0f8 repmgr11-5.0.0-1.sles12 (a)(none) (b)DSA/SHA1, Tue Dec 10 11:19:44 2019, Key ID 1f16d2e1442df0f8 postgresql11-contrib-11.9-1PGDG.sles12 (a)(none) (b)DSA/SHA1, Thu Aug 13 16:02:50 2020, Key ID 1f16d2e1442df0f8 postgresql11-libs-11.9-1PGDG.sles12 (a)(none) (b)DSA/SHA1, Thu Aug 13 16:02:50 2020, Key ID 1f16d2e1442df0f8 pg_stat_kcache11-2.1.1-1.sles12.1 (a)(none) (b)DSA/SHA1, Thu Oct 18 14:47:26 2018, Key ID 1f16d2e1442df0f8 postgresql11-11.9-1PGDG.sles12 (a)(none) (b)DSA/SHA1, Thu Aug 13 16:02:50 2020, Key ID 1f16d2e1442df0f8 From the Postgresql11 repo for SLES12 SP5 and Postgresql13 for SLES15 SP2 I've got downloaded that last few version of postgresql1x-server rpm. Older packages are signed, but not the latest ones: rpm -qp --qf '%{NAME}-%{VERSION}-%{RELEASE} (a)%{SIGPGP:pgpsig} (b)%{SIGGPG:pgpsig}\n' post*.rpm | sort warning: postgresql11-server-11.10-1PGDG.sles12.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 442df0f8: NOKEY postgresql11-server-11.10-1PGDG.sles12 (a)(none) (b)DSA/SHA1, Thu 12 Nov 2020 01:37:45 AM CET, Key ID 1f16d2e1442df0f8 postgresql11-server-11.11-1PGDG.sles12 (a)(none) (b)(none) postgresql11-server-11.8-1PGDG.sles12 (a)(none) (b)DSA/SHA1, Fri 15 May 2020 12:50:23 PM CEST, Key ID 1f16d2e1442df0f8 postgresql11-server-11.9-1PGDG.sles12 (a)(none) (b)DSA/SHA1, Thu 13 Aug 2020 04:02:50 PM CEST, Key ID 1f16d2e1442df0f8 postgresql13-server-13.0-1PGDG.sles15 (a)(none) (b)DSA/SHA1, Wed 23 Sep 2020 08:41:46 PM CEST, Key ID 1f16d2e1442df0f8 postgresql13-server-13.1-1PGDG.sles15 (a)(none) (b)DSA/SHA1, Thu 12 Nov 2020 01:18:36 AM CET, Key ID 1f16d2e1442df0f8 Are packages not signed anymore by intention?
pgsql-bugs by date: