Signing built RPMs or how to create signed RPMs.

Pierre Guillet guillet.pierre at googlemail.com
Tue Dec 14 07:43:59 UTC 2010 

Hi,

I'am using Koji + sign_unsigned.py + mash to build RPM on CentOS5

I have modified sign_unsigned.py to manage the passphrase. If option is not
used, sign_unsigned.py gives an empty passphrase to 'rpm --resign' command.

Add the Python expect module in import section (pexpect RPM must installed)
:

 import getpass
+import pexpect

Add the --passwd option in __init__() from SignUnsigned class:

+        self.parser.add_option("--passwd", action="store_true")

Replace these lines in do_signing()

-                # loop in case password is mistyped
-                while os.system(cmd):
-                    # sleep briefly (give user a chance to ctrl-C)
-                    time.sleep(2)
+                # Use expect to give the passphrase
+                # LANG=C to have english question 'pass phrase'
+                os.environ['LC_ALL'] = 'C'
+                child = pexpect.spawn(cmd)
+                # Wait for 'pass phrase'
+                child.expect('phrase:')
+                if not self.options.passwd:
+                    child.sendline('\r')
+                else:
+                    child.sendline("%s" % self.options.passwd)
+                child.expect(pexpect.EOF)

Regards,
Pierre

2010/12/14 Allen Hewes <allen at decisiv.net>

>
> >
> > Hi Allen!
> >
> > You might want to look at the following post:
> >
> > http://www.mail-archive.com/fedora-buildsys-list@redhat.com/ms
> g02187.html<http://www.mail-archive.com/fedora-buildsys-list@redhat.com/ms%0Ag02187.html>
> >
> > -of
>
> Hi Oliver,
>
> Thanks for link. I had not come across this thread.
>
> It would appear that currently there isn't any method to sign RPMs within
> koji or mash. You can import prebuilt RPMs with signatures into Koji. I
> don't know much about importing RPMs into koji because I haven't had a need.
>
> Do the Fedora guys use the sign_unsigned.py script for the official Fedora
> yum repos? If so, how do they use mash? Because it looks to me that if you
> use this script, it does one of the steps mash does; fetching RPMs out of
> koji tags.
>
> I would have guessed that the Fedora guys generate their yum repos via mash
> from koji tags and then sign RPMs.
>
> I'd have to modify this script to suit my needs, but I think I could do it.
> It also looks like it relies on a newer version of RPM, the rpm command for
> key size == 4096 is one spot I noticed.
>
> Also, I have to enter a passphrase when I sign my RPMs but this script
> doesn't have any provisions for that. Is there a way to make rpm --resign
> not prompt for a passphrase?
>
> Has there been any talk about adding RPM signing to mash? It seems like
> that'd be a good place for it.
>
> Thanks,
>
> /allen
> --
> buildsys mailing list
> buildsys at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/buildsys
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/buildsys/attachments/20101214/e664c02b/attachment.html

More information about the buildsys mailing list