MariaDB Enterprise Supply Chain Security

Overview

During deployment, supply chain security should be taken into account. This page describes some details about supply chain security.

Validating Sums and Signatures

Use cryptographic hash sums and cryptographic signatures to validate the integrity and authenticity of a downloaded file.

Validate SHA256 Sums

To check a known SHA256 cryptographic hash sum against the SHA256 of a file:

$ echo "733f247c626d965304b678b62a4b86eb4bb8bf956f98a241b6578dedc6ca4020  mariadb_es_repo_setup" \
    | sha256sum -c -

Validate Signatures with YUM

To direct YUM (CentOS, RHEL, Rocky Linux) to validate cryptographic signatures, in /etc/yum.conf and each .repo file in /etc/yum.repos.d/ ensure this line DOES appear:

gpgcheck = 1

Validate Signatures with APT

To direct APT (Debian, Ubuntu) to validate cryptographic signatures, ensure [trusted=yes] DOES NOT appear for any repository listed in the /etc/apt/sources.list configuration file or listed in the configuration files located in the /etc/apt/sources.list.d/ directory.

The cryptographic sums for trusted repositories are not checked.

To update the cache after changing the repository configuration: apt update

Validate Signatures with ZYpp

To display the list of configured ZYpp repositories, including status of GPG checks for the repository: zypper repos

To enable GPG checks for a repository: zypper modifyrepo -g followed by the repository alias or name such as mariadb-es-server.

ZYpp can be globally configured for package validation via the repo_gpgcheck and/or pkg_gpgcheck in the ZYpp configuration file at: /etc/zypp/zypp.conf