I am trying to setup a RHEL server with k6. Looking at the instructions to install the rpm repo, the file it instructs users to install under
/etc/yum.repos.d/ contains two lines:
This disables signature verification of the RPM files and the yum repository metadata.
If I remove the lines (or change the value to
yum install k6 fails with the error:
Package k6-v0.25.1-amd64.rpm is not signed
Is this not a security issue, especially when using a 3rd party service (Bintray) to distribute the packages? If Bintray is compromised, an attacker can upload a malicious k6 package and all the systems using the repo would install it without question.
Am I misunderstanding something here?