MariaDB Enterprise Supply Chain Security


During deployment, supply chain security should be taken into account. This page describes some details about supply chain security.

Validating Sums and Signatures

Use cryptographic hash sums and cryptographic signatures to validate the integrity and authenticity of a downloaded file.

Validate SHA256 Sums

To check a known SHA256 cryptographic hash sum against the SHA256 of a file:

$ echo "53efddb84ea12efa7d521499a7474065bd4a60c721492d0e72b4336192f4033f  mariadb_es_repo_setup" \
    | sha256sum -c -

Validate Signatures with YUM

To direct YUM (CentOS, RHEL) to validate cryptographic signatures, in /etc/yum.conf and each .repo file in /etc/yum.repos.d/ ensure this line DOES appear:

gpgcheck = 1

Validate Signatures with APT

To direct APT (Debian, Ubuntu) to validate cryptographic signatures, ensure [trusted=yes] DOES NOT appear for any repository listed in the /etc/apt/sources.list configuration file or listed in the configuration files located in the /etc/apt/sources.list.d/ directory.

The cryptographic sums for trusted repositories are not checked.

To update the cache after changing the repository configuration: apt update

Validate Signatures with ZYpp

To display the list of configured ZYpp repositories, including status of GPG checks for the repository: zypper repos

To enable GPG checks for a repository: zypper modifyrepo -g followed by the repository alias or name such as mariadb-es-server.

ZYpp can be globally configured for package validation via the repo_gpgcheck and/or pkg_gpgcheck in the ZYpp configuration file at: /etc/zypp/zypp.conf