[resend] handling rpm signing for secondary arch packages
by Doug Chapman
Sorry if you get this twice, the fedora-secondary-list was bouncing but
appears to be working now so sending again to be sure everyone gets
this.
I would like to start a discussion about devising a procedure for
handling rpm package signing for secondary arches. When we released the
F9 beta for ia64 we did not sign the packages however I feel we should
take care of this for F9 final (or at least have a good reason for not
doing it).
We should probably have a unique key for each arch. Generating a key
and signing the packages itself isn't a big deal (I assume, I need to
learn how to do this but I understand the concept). The problem is
making sure it works cleanly on the users end.
Currently the public key for the primary arches is saved in the
file /etc/pki/rpm-gpg/RPM-GPG-KEY and is part of the fedora-release
package. This is then hard coded into the yum configs.
So I have 3 rough ideas on how to handle this cleanly.
1: a special fedora-release package for each secondary arch that has the
appropriate keys (personally I don't like this idea but figured I would
mention it for discussion).
2: we move the keys from:
/etc/pki/rpm-gpg/RPM-GPG-KEY
to
/etc/pki/rpm-gpg/$basearch/RPM-GPG-KEY
of course this means replicating the keys for x86 and ppc (and the 64
bit variants) in multiple places (but I guess those could be symlinked)
still would be fairly clean.
3: we do something similar to #2 but instead of using $basearch in the
path we have a post install script for the fedora-release rpm which
copies the appropriate key into /etc/pki/rpm-gpg/RPM-GPG-KEY based on
the arch of the system. The nice thing about this is it doesn't require
any changes to the primary arches. The script would only copy files
over if on one of the secondary arches.
thoughts? I would like to get this resolved before long since it is one
of the final issues we want to fix before shipping F9 for ia64.
- Doug
15 years, 10 months
testing
by Doug Chapman
making sure it no longer bounces for me....
15 years, 11 months
Sorry for noise
by Dennis Gilmore
Testing a change, this is a brand new mailman install
15 years, 11 months
Welcome
by Dennis Gilmore
Welcome to the new list to discuss issues around Secondary architectures.
Dennis
15 years, 11 months
test list
by Dennis Gilmore
test new list
fedora-secondary-list(a)lists.fedoraproject.org
15 years, 11 months