sign packages

[juju4]

At least on Fedoral/RHEL with gpgcheck, but likely valid for other packages platform

$ sudo rpm -ivh omi-1.6.8-1.ssl_110.ulinux.x64.rpm 
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
	package omi-1.6.8-1.x86_64 does not verify: no signature
 rpm -qpi omi-1.6.8-1.ssl_110.ulinux.x64.rpm 
Name        : omi
Version     : 1.6.8
Release     : 1
Architecture: x86_64
Install Date: (not installed)
Group       : System Environment/Daemons
Size        : 4615702
License     : MIT
Signature   : (none)
Source RPM  : omi-1.6.8-1.src.rpm
Build Date  : Wed Aug 11 23:54:49 2021
Build Host  : osbld64-rhel5-01.scx.com
Vendor      : Microsoft Corporation
Summary     : Open Management Infrastructure
Description :
omi server

[JumpingYang001]

will check it, thanks.

[JumpingYang001]

@juju4 GitHub release page packages are not signed and MS Repo packages are signed, and it is by design at present. @deepakjain111

[juju4]

IMHO, design should be reevaluated at least for platforms where it is possible.

On Fedora/RHEL/Centos, as official repositories support it, enabling signature is not difficult and expected on hardened setup (CIS Benchmark, STIG - https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2018-11-28/finding/V-71979 for example)

Less common for Debian/Ubuntu as official repositories don't support it (debsig - 7.5.5 https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html)

[deepakjain111]

Thanks @juju4 for suggestion.
We will definitely consider it.

[roelandjansen]

and exec before install:

sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc

may help here