rpm -qpi timescaledb-tools-0.14.3-0.el8.x86_64.rpm show’s that the package has no signature.
How can this be fixed? (and make sure other packages are signed aswell?) Because it seems a bit useless to provide a GPG check without (a) signed package(s)
2 things that might help i guess are:
sign the missing packages
and/or provide an alternate repo location for unsigned packages
Hello @xdk, I checked it with a core database engineer, and apparently, it is a general issue - we do not sign our packages, so it is not specific to this package.
The core DB team is aware of it and will probably look more carefully in the following sprints!
I’ll post news here when I know more details about the development plans!
Seems a bit of a contradiction though, providing a URI for the GPG key(s) to a package location with unsigned packages.
This causes package installation(s) to fail, unless we set gpgcheck=0… which completely defeats the purpose of providing the gpgkey uri in the first place. Would be best to provide a separate location that provides unsigned packages (or just sign them )
(note that other packages of TimescaleDB are successfully being installed (and thus are signed), i came across this specific package that wasn’t)
Yes, we can provide signed and unsigned packages. I hope the team finds the proper solution soon! I’ll try to keep this post up to date when they have news in this regard.
Any updates regarding this issue? We have same problem with RHEL 8.
Downloading Packages:
[SKIPPED] timescaledb-tools-0.14.3-0.el8.x86_64.rpm: Already downloaded
Package timescaledb-tools-0.14.3-0.el8.x86_64.rpm is not signed
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: GPG check FAILED
)