I am trying to setup a RHEL server with k6. Looking at the instructions to install the rpm repo, the file it instructs users to install under /etc/yum.repos.d/ contains two lines:
gpgcheck=0
repo_gpgcheck=0
This disables signature verification of the RPM files and the yum repository metadata.
If I remove the lines (or change the value to 1), running yum install k6 fails with the error:
Package k6-v0.25.1-amd64.rpm is not signed
Is this not a security issue, especially when using a 3rd party service (Bintray) to distribute the packages? If Bintray is compromised, an attacker can upload a malicious k6 package and all the systems using the repo would install it without question.
Hi there, this is a bit of an old thread, but just to let you know that RPM packages are now signed with our own GPG key, and gpgcheck is enabled for the repo. See the updated installation instructions.
We missed signing of the repo metadata, so repo_gpgcheck is still disabled, but we’ll make that happen soon as well. Now that we have control over the repositories it shouldn’t take us a year.
Slight correction: we decided to not sign repo metadata and leave repo_gpgcheck disabled since it’s known to causeissues, and is not enabled even on main Fedora repositories.