Signing built RPMs or how to create signed RPMs.
Pierre Guillet
guillet.pierre at googlemail.com
Tue Dec 14 07:43:59 UTC 2010
Hi,
I'am using Koji + sign_unsigned.py + mash to build RPM on CentOS5
I have modified sign_unsigned.py to manage the passphrase. If option is not
used, sign_unsigned.py gives an empty passphrase to 'rpm --resign' command.
Add the Python expect module in import section (pexpect RPM must installed)
:
import getpass
+import pexpect
Add the --passwd option in __init__() from SignUnsigned class:
+ self.parser.add_option("--passwd", action="store_true")
Replace these lines in do_signing()
- # loop in case password is mistyped
- while os.system(cmd):
- # sleep briefly (give user a chance to ctrl-C)
- time.sleep(2)
+ # Use expect to give the passphrase
+ # LANG=C to have english question 'pass phrase'
+ os.environ['LC_ALL'] = 'C'
+ child = pexpect.spawn(cmd)
+ # Wait for 'pass phrase'
+ child.expect('phrase:')
+ if not self.options.passwd:
+ child.sendline('\r')
+ else:
+ child.sendline("%s" % self.options.passwd)
+ child.expect(pexpect.EOF)
Regards,
Pierre
2010/12/14 Allen Hewes <allen at decisiv.net>
>
> >
> > Hi Allen!
> >
> > You might want to look at the following post:
> >
> > http://www.mail-archive.com/fedora-buildsys-list@redhat.com/ms
> g02187.html<http://www.mail-archive.com/fedora-buildsys-list@redhat.com/ms%0Ag02187.html>
> >
> > -of
>
> Hi Oliver,
>
> Thanks for link. I had not come across this thread.
>
> It would appear that currently there isn't any method to sign RPMs within
> koji or mash. You can import prebuilt RPMs with signatures into Koji. I
> don't know much about importing RPMs into koji because I haven't had a need.
>
> Do the Fedora guys use the sign_unsigned.py script for the official Fedora
> yum repos? If so, how do they use mash? Because it looks to me that if you
> use this script, it does one of the steps mash does; fetching RPMs out of
> koji tags.
>
> I would have guessed that the Fedora guys generate their yum repos via mash
> from koji tags and then sign RPMs.
>
> I'd have to modify this script to suit my needs, but I think I could do it.
> It also looks like it relies on a newer version of RPM, the rpm command for
> key size == 4096 is one spot I noticed.
>
> Also, I have to enter a passphrase when I sign my RPMs but this script
> doesn't have any provisions for that. Is there a way to make rpm --resign
> not prompt for a passphrase?
>
> Has there been any talk about adding RPM signing to mash? It seems like
> that'd be a good place for it.
>
> Thanks,
>
> /allen
> --
> buildsys mailing list
> buildsys at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/buildsys
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/buildsys/attachments/20101214/e664c02b/attachment.html
More information about the buildsys
mailing list