Hello,
I am trying to setup a RHEL server with k6. Looking at the instructions to install the rpm repo, the file it instructs users to install under /etc/yum.repos.d/
contains two lines:
gpgcheck=0
repo_gpgcheck=0
This disables signature verification of the RPM files and the yum repository metadata.
If I remove the lines (or change the value to 1
), running yum install k6
fails with the error:
Package k6-v0.25.1-amd64.rpm is not signed
Is this not a security issue, especially when using a 3rd party service (Bintray) to distribute the packages? If Bintray is compromised, an attacker can upload a malicious k6 package and all the systems using the repo would install it without question.
Am I misunderstanding something here?
Thanks,
Steve