sign builds with posit gpg key

[edavidaja]

No description provided.

[JsizzleR]

This came up with a customer for ticket: https://rstudioide.zendesk.com/agent/tickets/104591
They cannot use our R or Python binaries because they're not GPG-signed. This was a hard no for them, and they commented on their surprise that we're offering these without signing them.

It's forcing difficult discussions with the customer about compiling from source, or going against our best practices and using a RHEL-provided Python and R version.

Issue for R builds: rstudio/r-builds#7

[jlsm-se]

It would be great to have this implemented.

To give an example of why, I have the file https://cdn.rstudio.com/python/ubuntu-2204/pkgs/python-3.12.0_1_amd64.deb that I downloaded in April 2024 and recorded the sha256sum [1] of.

In ~November of 2024 I downloaded the file again from the same URL, except that time the checksum had changed for some reason. I had no idea why. If I download it now, it still doesn't match.

I've seen the break-glass functionality noted in the README so I'm guessing the usage of that may be the culprit here. Or it could be a CVE-2024-3094 type of situation. My point is that there's no way to know the difference without unpacking and inspecting the binaries inside the packages manually - an unreasonable request to make of the people downloading these packages. At that point we may as well build the package ourselves.

I've also seen https://posit.co/code-signing/ and the comment here so maybe things are underway towards a solution for this issue?

I suppose it's possible this will become a legal requirement in the EU once the CRA comes into force there.

[1] it's a161c9b5004e814547b3c5efce0a08ebbde57a32ef08e5752e2effbc0b4abb6b