Hello,
I’m trying to install openfire from the RPM file provided on the website, however I can’t seem to find the public key that would allow me to validate the rpm. Trying to browse https://download.igniterealtime.org/openfire/ was unsuccessfull and I don’t see a link to it in the documentation I read. Could you tell me where/how to find it ?
Thanks,
We provide SHA1SUM values for all distributables. You can find them in the blogpost that announces the release, or, for every release, as part of the ‘releases’ page on GitHub: https://github.com/igniterealtime/Openfire/releases
Thank you for your answer, however this does not help me.
It is actually my bad here: I incorrectly assumed that the provided RPMs were signed, which is not the case (‘rpm -kv <file>’ does not show any signature).
Do you have any plan to sign the rpm files generated for openfire ? Relevant documentation here : http://ftp.rpm.org/max-rpm/s1-rpm-pgp-signing-packages.html . You will also need a gpg key pair (private key to sign, public key - which i was asking for - to distribute)
Our use-case is that we install openfire from a local repository and enforce gpgcheck. Not having a default signature means that we will have to re-sign the rpm on our side, thus deploying a rpm that can"t match any of the official sha1sum, which is suboptimal as the key won’t come from an official source but be project/context-specific instead.
There are no plan to do this… up to now. I’m not against this. Roping in @akrherz to get his thoughts on the matter…
It would be nice to have this along with daily updating apt-get and yum/dnf repos. So I am not against it at all 