Update packagecloud.io to fully sign packages

[jaredledvina]

Currently, the https://packagecloud.io/app/sensu/nightly/ repo's are setup to have the metadata of the repo signed. However, the actual .deb and .rpm packages are not signed themselves. Signing the actually packages helps folks who run their own internal package mirrors verify that no one has tampered with them while to move around.

Expected Behavior

https://packagecloud.io/app/sensu/nightly/gpg#gpg-packagekeys should show package signing keys and/or the actual packages should be signed.

Current Behavior

The metadata on the repo's is signed currently, but the actual package files themselves are not.

Possible Solution

I'm not sure how https://sensu.global.ssl.fastly.net/apt/ and https://sensu.global.ssl.fastly.net/yum/ work but, perhaps we can steal the setup for those?

Context

Signed packages was my original blocker for deploying Sensu 1.X and this will also be a hard blocker for 2.X.

Your Environment

• Sensu version used (sensuctl, sensu-backend, and/or sensu-agent): Lastest nightly
• Installation method (packages, binaries, docker etc.): Ansible
• Operating System and version (e.g. Ubuntu 14.04): Debian 9

[grepory]

@preed and @amdprophet -- can we figure out how to get this done?

[preed]

Certainly we can look into it from a technology perspective, but I believe there's an additional release policy perspective (which, conveniently, we're in the middle of revisiting) which might impact what, exactly, we sign.

But I believe at some point, we'd want to sign the packages, so investigating the details as to how is certainly worth doing.

[annaplotkin]

We are closing this in favor of #13.