MariaDB Enterprise Supply Chain Security
This page is part of MariaDB's Documentation.
The parent of this page is: Security
Topics on this page:
Overview
During deployment, supply chain security should be taken into account. This page describes some details about supply chain security.
Validating Sums and Signatures
Use cryptographic hash sums and cryptographic signatures to validate the integrity and authenticity of a downloaded file.
Validate SHA256 Sums
To check a known SHA256 cryptographic hash sum against the SHA256 of a file:
$ echo "c12da6a9baa57eab7fa685aa24bf76e6929a8c67f4cd244835520c0181007753 mariadb_es_repo_setup" \
| sha256sum -c -
Validate Signatures with YUM
To direct YUM (CentOS, RHEL, Rocky Linux) to validate cryptographic signatures, in /etc/yum.conf
and each .repo
file in /etc/yum.repos.d/
ensure this line DOES appear:
gpgcheck = 1
Validate Signatures with APT
To direct APT (Debian, Ubuntu) to validate cryptographic signatures, ensure [trusted=yes]
DOES NOT appear for any repository listed in the /etc/apt/sources.list
configuration file or listed in the configuration files located in the /etc/apt/sources.list.d/
directory.
The cryptographic sums for trusted repositories are not checked.
To update the cache after changing the repository configuration: apt update
Validate Signatures with ZYpp
To display the list of configured ZYpp repositories, including status of GPG checks for the repository: zypper repos
To enable GPG checks for a repository: zypper modifyrepo -g
followed by the repository alias or name such as mariadb-es-server
.
ZYpp can be globally configured for package validation via the repo_gpgcheck
and/or pkg_gpgcheck
in the ZYpp configuration file at: /etc/zypp/zypp.conf