Signing built RPMs or how to create signed RPMs.

Oliver Falk oliver at linux-kernel.at
Tue Dec 14 20:00:23 UTC 2010 

Hi Jesse!

Just want to mention, that sigul might be a bit too much effort for a 
private (or even corporate) koji setup...

-of

Am 14.12.2010 19:17, schrieb Jesse Keating:
> On 12/13/10 9:54 PM, Allen Hewes wrote:
>>
>>>
>>> Hi Allen!
>>>
>>> You might want to look at the following post:
>>>
>>> http://www.mail-archive.com/fedora-buildsys-list@redhat.com/ms
>> g02187.html
>>>
>>> -of
>>
>> Hi Oliver,
>>
>> Thanks for link. I had not come across this thread.
>>
>> It would appear that currently there isn't any method to sign RPMs
>> within koji or mash. You can import prebuilt RPMs with signatures
>> into Koji. I don't know much about importing RPMs into koji because I
>> haven't had a need.
>>
>> Do the Fedora guys use the sign_unsigned.py script for the official
>> Fedora yum repos? If so, how do they use mash? Because it looks to me
>> that if you use this script, it does one of the steps mash does;
>> fetching RPMs out of koji tags.
>>
>> I would have guessed that the Fedora guys generate their yum repos
>> via mash from koji tags and then sign RPMs.
>>
>> I'd have to modify this script to suit my needs, but I think I could
>> do it. It also looks like it relies on a newer version of RPM, the
>> rpm command for key size == 4096 is one spot I noticed.
>>
>> Also, I have to enter a passphrase when I sign my RPMs but this
>> script doesn't have any provisions for that. Is there a way to make
>> rpm --resign not prompt for a passphrase?
>>
>> Has there been any talk about adding RPM signing to mash? It seems
>> like that'd be a good place for it.
>>
>
> I think there is some confusion here.  sign_unsigned.py was our old
> tool.  I wrote a new one when we started using the sigul secure signing
> backend.
> https://fedorahosted.org/rel-eng/browser/scripts/sigulsign_unsigned.py
>
> This client interacts with the sigul bridge, which then interacts with
> the sigul server to actually rpmsign the files.  Then the signed headers
> get imported into koji, and we ask koji to write out a set of the rpms
> with the signed headers.  It's these signed copies that mash would fetch
> (if so configured).
>
> Because we do composes in automated or semi-automated fashion, and often
> these composes re-use many existing packages, it doesn't make sense to
> mash and then some hours later come back to punch in a passphrase to
> (re)sign a ton of rpms.  We sign and store them in koji so that they can
> be fetched later by automated tools.
>

More information about the buildsys mailing list