On 12/13/10 9:54 PM, Allen Hewes wrote:
> Hi Allen!
> You might want to look at the following post:
Thanks for link. I had not come across this thread.
It would appear that currently there isn't any method to sign RPMs
within koji or mash. You can import prebuilt RPMs with signatures
into Koji. I don't know much about importing RPMs into koji because I
haven't had a need.
Do the Fedora guys use the sign_unsigned.py script for the official
Fedora yum repos? If so, how do they use mash? Because it looks to me
that if you use this script, it does one of the steps mash does;
fetching RPMs out of koji tags.
I would have guessed that the Fedora guys generate their yum repos
via mash from koji tags and then sign RPMs.
I'd have to modify this script to suit my needs, but I think I could
do it. It also looks like it relies on a newer version of RPM, the
rpm command for key size == 4096 is one spot I noticed.
Also, I have to enter a passphrase when I sign my RPMs but this
script doesn't have any provisions for that. Is there a way to make
rpm --resign not prompt for a passphrase?
Has there been any talk about adding RPM signing to mash? It seems
like that'd be a good place for it.
I think there is some confusion here. sign_unsigned.py was our old
tool. I wrote a new one when we started using the sigul secure signing
This client interacts with the sigul bridge, which then interacts with
the sigul server to actually rpmsign the files. Then the signed headers
get imported into koji, and we ask koji to write out a set of the rpms
with the signed headers. It's these signed copies that mash would fetch
(if so configured).
Because we do composes in automated or semi-automated fashion, and often
these composes re-use many existing packages, it doesn't make sense to
mash and then some hours later come back to punch in a passphrase to
(re)sign a ton of rpms. We sign and store them in koji so that they can
be fetched later by automated tools.
Fedora -- Freedom² is a feature!