preservation of signed rpms
by Frank Ch. Eigler
Recently, fedora koji has started applying per-file (IMA) signatures
to RPMs it has built. This is in addition to the overall GPG
signature of the RPM payload as a whole. While this extra capability
is not yet fully developed in userspace, we do have one ready user
(elfutils debuginfod ), which is unfortunately frustrated by a
policy in the koji code base.
That policy problem is the periodic pruning of signed RPMs. That is,
"koji prune-signed-copies" is run on the fedora infra every now and
then. This operation nukes data/signed/KEYHEX/ARCH/N-V-R.rpm files.
While it leaves behind data/sigcache/ARCH/*, those files appear not to
include the IMA signature content. That means the IMA signatures are
simply lost, like tears in rain.
We'd like to correct this somehow - to make the IMA signatures
available indefinitely - at least as long as the built RPMs stay of
any interest. (That means: not restricted to the most-recent-update
of a given fedora release.)
1) have the pruning operate by replacing the unsigned binaries with the
signed ones (hardlink or rename)?
2) have the pruning operate on the unsigned binaries, preserving the
3) preserve the IMA signature content somewhere nearby (sigcache?)
to give us a chance at finding the data there after a prune
4) ---> some other way? <---
1 month, 1 week
Koji 1.32.0 release
by Tomas Kopecek
Koji 1.32.0 is out. As usual - Thanks to everyone who contributed!
You can read release notes here:
* #3587 - IMPORTANT: parts of hub are now regular python package. It also
needs a simple change in httpd.conf to point to the new location. It allows
us for better modularity and hub extensions in the future (new scheduler is
already using it)
* #3571, #3394 - Automatic renewal of expired sessions. For improved
security we've introduced short-lived sessions which can be automatically
extended without any user action.
* #3582 - Dropped ClamAV support from windows builders - cygwin clamav is
not supported in upstream anymore and content/source validation should
happen outside of koji.
* #3627 getRPMChecksums API call - now we store all file-based checksums
for signed rpms, not only signature headers + payload
* multiple DB-layer refactoring PRs
40 pull request
You can view the 1.33 roadmap at https://pagure.io/koji/roadmap/1.33
For the current roadmap, see https://pagure.io/koji/roadmap
You can download this and other releases at https://pagure.io/koji/releases
Tomas Kopecek <tkopecek(a)redhat.com>
RHEL Build Development, RedHat
1 month, 1 week