Re: [resend] handling rpm signing for secondary arch packages
On Tue, 2008-05-27 at 15:25 -0400, Tom "spot" Callaway wrote:
On Tue, 2008-05-27 at 15:15 -0400, Doug Chapman wrote:
> Adding Seth to the CC list per Spot's recommendation.
>
> Seth, what we are looking to do is find a clean way to handle secondary
> arch packages (in this case ia64 but eventually sparc, s390, alpha and
> arm as well) which are signed with a different key than the primary
> arches.
>
> What we want to do is add a new key for ia64 to the fedora-release
> package and not break any existing stuff. We would like to avoid a
> special fedora-release package that is specific to each secondary arch.
>
> Do you have any suggestions from a yum point of view as to what would
> work best here?
It seems like just adding the additional keys as
RPM-GPG-KEY-fedora-$BASEARCH makes sense, then just append the new keys
to the key list in the repo config file.
The only hang up there is the .repo file is config(noreplace) so your
changes wouldn't go out to existing users. If this is not a concern,
then yes, absolutely this is the simplest answer.
The other option is something I'd need to research a bit but I _think_
the yum gpg key handler will allow for multiple keys-per-file.
So we could, arguably add the arch-specific keys to the KEY files. I
need to test this but it looks like yum will import all the keys in the
file and the keys are not config(noreplace) or even config
-sv