MariaDB Enterprise Supply Chain Security

Overview

During deployment, supply chain security should be taken into account. This page describes some details about supply chain security.

Validating Sums and Signatures

Use cryptographic hash sums and cryptographic signatures to validate the integrity and authenticity of a downloaded file.

Validate SHA256 Sums

To check a known SHA256 cryptographic hash sum against the SHA256 of a file:

$ echo "c12da6a9baa57eab7fa685aa24bf76e6929a8c67f4cd244835520c0181007753  mariadb_es_repo_setup" \
    | sha256sum -c -

Validate Signatures with YUM

To direct YUM (CentOS, RHEL, Rocky Linux) to validate cryptographic signatures, in /etc/yum.conf and each .repo file in /etc/yum.repos.d/ ensure this line DOES appear:

gpgcheck = 1

Validate Signatures with APT

To direct APT (Debian, Ubuntu) to validate cryptographic signatures, ensure [trusted=yes] DOES NOT appear for any repository listed in the /etc/apt/sources.list configuration file or listed in the configuration files located in the /etc/apt/sources.list.d/ directory.

The cryptographic sums for trusted repositories are not checked.

To update the cache after changing the repository configuration: apt update

Validate Signatures with ZYpp

To display the list of configured ZYpp repositories, including status of GPG checks for the repository: zypper repos

To enable GPG checks for a repository: zypper modifyrepo -g followed by the repository alias or name such as mariadb-es-server.

ZYpp can be globally configured for package validation via the repo_gpgcheck and/or pkg_gpgcheck in the ZYpp configuration file at: /etc/zypp/zypp.conf