Verify package signatures on RedHat

[mxey]

Gitlab has signed RPM packages for Omnibus (not for Runner, though). The gpgcheck option for the yumrepo should be enabled.

[mhyzon]

The gpg key that is specified in the yumrepo resource is incorrect, at least for the ee version. When you use the gitlab omnibus install method, the https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.rpm.sh script pulls a repo config from https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/config_file.repo?os=${os}&dist=${dist}&source=script

And at least for me (RHEL7), returns a yum .repo file with 2 gpgkeys:

https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey
https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey/gitlab-gitlab-ee-3D645A26AB9FBD22.pub.gpg

The first is actually a 302 to https://packages.gitlab.com/gpg.key (what install.pp has), but the 2nd is a completely different key (and the proper key for the gitlab-ee RPMs, AFAICT.

[mhyzon]

In the mean time, you should be able to override the resource attributes with a collector like:

Yumrepo <| tag == 'gitlab::install' |> {
    gpgcheck => 1,
    gpgkey   => [THE PROPER KEY FOR YOUR EDITION],
}

[mhyzon]

Created Pull Request #172

[juniorsysadmin]

Fixed by #172