[feature request] Add ability to sign packages built with packaging script / Offer signed packages on Downloads page

[binaryphile]

Seeing md5s on the downloads is nice, but I'm really uncomfortable with downloads which aren't digitally signed by the author. I want to know that the software I'm recommending for production has had reasonable precautions taken to prevent tampering. Signing is so easy these days, I'm surprised they aren't already.

What are your plans regarding signing downloads?

[rossmcdonald]

@binaryphile The packages downloaded through the repository (repos.influxdata.com) are already signed if you need something in the short-term. In the longer term, we are currently revamping our build process, but I'll add this as a feature request to offer signed packages through the Downloads page as well.

[binaryphile]

Thanks, that's great.

[rossmcdonald]

This has been fixed with #6148

There will now be detached signatures uploaded with each release (URL + '.asc'), so, for example, to verify the package contents on Ubuntu:

wget -q https://repos.influxdata.com/influxdb.key && \
    gpg --import influxdb.key && \
    rm -f influxdb.key

INFLUXDB_VERSION="0.11.0"
wget -q https://s3.amazonaws.com/influxdb/influxdb_$INFLUXDB_VERSION-1_amd64.deb.asc && \
    wget -q https://s3.amazonaws.com/influxdb/influxdb_$INFLUXDB_VERSION-1_amd64.deb && \
    gpg --verify influxdb_$INFLUXDB_VERSION-1_amd64.deb.asc influxdb_$INFLUXDB_VERSION-1_amd64.deb && \
    dpkg -i influxdb_$INFLUXDB_VERSION-1_amd64.deb

Where you should see a GPG message based on whether the signature was verified, such as:

gpg: Signature made Tue Mar 29 19:03:59 2016 UTC using RSA key ID 2582E0C5
gpg: Good signature from "InfluxDB Packaging Service <support@influxdb.com>"