Best way to sign packages before adding to the repos?

[Dan Williams]

On Wed, 2005-11-16 at 17:43 -0500, Chris Weyl wrote:
> Hey all--
> 
> Ok, so here's a question.  What's the best way to sign a package(s)
> before adding it to the repository?  I was thinking that the easiest
> way to do this would be while it's sitting in the "needsign/success"
> state, but it looks like it's actually being added to the repository
> before that state.
> 
> Is there an easy way to do this?  Or even a not-so-easy one?  <grin>

The way Fedora Extras does it right now, there's a cron job or something
that pushes the built RPMs to the real repository directory and signs
them at that point.

If you want to use the repository the build server dumps built RPMs
into, then you can use the repo scripts feature of the build server.
There's a config option in each target file on the build server which
accepts a path to the repo script.  That script is run after RPMs have
been copied to the repo, and is given with 1 argument": the target
string for the repo, which takes the form of something like
"fedora-development-core" or "fedora-extras-4".  You could probably do
the signing from that script.

Some issues to know about repo scripts:  they are called every time
packages are added to the repository.  That means, if you want to do
stuff only at certain times, like midnight, you have to do time tracking
yourself to make sure your script is only called every 24 hours.  Also,
the build server blocks while the script runs, so it will kill the
script after 1 hour of runtime to make sure that stuff doesn't block for
too long.

This part hasn't been too tested or fleshed out, so if you think of
ideas for improvements, feel free to propose them.

Dan