Signing RPMs

[Josh Boyer]

On Tue, Nov 10, 2009 at 11:24:50PM -0800, Jitesh Shah wrote:
>So, I picked up the sign_unsigned.py script from releng. I replaced the keys in there with our keys, tweaked some minor stuff here and there and managed to get it running. 
>I use it as 
>"./sign_unsigned.py --level <level> <tag-name>"
>and it runs alright. I can see that the signatures are cached under the sigcache directory (but NOT embedded in the rpms themselves, which makes sense since the rpm can probably be a part of different tags and might be signed differently within each tag)
>
>So, I thought, well, mash would be the one which'll embed the keys in the rpms. So, I set strict_keys to True.. added my key to the keys list in my .mash file. mash has no problems with the rpms and it can verify the signatures alright. But, it still doesn't embed the signatures in the rpm (is it supposed to?). So, the created repository still has all rpms unsigned. 
>
>What am I missing here? where to the rpms get signed actually?

The sign_unsigned script should eventually do a koji API call to do
'write-signed-rpm' on the packages you are signing.  That will assemble signed
RPMs in koji itself, which mash will download and used.

Fedora Rel-Eng doesn't use sign_unsigned anymore because we have a signing
server setup now.  However, it should still work.

josh