-----Original Message-----
From: Doug Chapman [mailto:doug.chapman@hp.com]
Sent: Thursday, May 22, 2008 5:10 AM
To: fedora-secondary-list(a)lists.fedoraproject.org;
tcallawa(a)redhat.com;
Zhan, Yi
Subject: [resend] handling rpm signing for secondary arch packages
Currently the public key for the primary arches is saved in the
file /etc/pki/rpm-gpg/RPM-GPG-KEY and is part of the fedora-release
package. This is then hard coded into the yum configs.
So I have 3 rough ideas on how to handle this cleanly.
1: a special fedora-release package for each secondary arch that has
the
appropriate keys (personally I don't like this idea but figured I
would
mention it for discussion).
I agree this is the last choice.
2: we move the keys from:
/etc/pki/rpm-gpg/RPM-GPG-KEY
to
/etc/pki/rpm-gpg/$basearch/RPM-GPG-KEY
of course this means replicating the keys for x86 and ppc (and the 64
bit variants) in multiple places (but I guess those could be
symlinked)
still would be fairly clean.
3: we do something similar to #2 but instead of using $basearch in the
path we have a post install script for the fedora-release rpm which
copies the appropriate key into /etc/pki/rpm-gpg/RPM-GPG-KEY based on
the arch of the system. The nice thing about this is it doesn't
require
any changes to the primary arches. The script would only copy files
over if on one of the secondary arches.
In my eyes #2 is the best choice for us to solve this issue. Is there
any possibility to get this done within a few days? We planed to have
about 2 weeks delay for f9 final and there are already 10 days until
today. So if time doesn't work we may have to take #3 for ia64's f9
final.
For #3, it seems RPM-GPG-KEY can only take one public key? I did a
simple try and find out that if a file holds two gpg pub keys, only the
first one is recognized when "rpm --import". If this is the case, I'd
prefer to cp the appropriate key into
/etc/pki/rpm-gpg/RPM-GPG-KEY-$basearch and modify the
/etc/yum.repos.d/*. This looks more _ugly_ but also more clear, users
could easy to tell that we are using a different key from primary's.
Overwriting RPM-GPG-KEY is somewhat confusing even that we explicit
declare it in the release note since users would still feel surprising
some day, say several months after the release, when "find out" they are
using a different key via the same filename as primary arches'.
Yi