Signing RPMs

[Dennis Gilmore]

On Wednesday 11 November 2009 07:15:36 am Josh Boyer wrote:
> On Tue, Nov 10, 2009 at 11:24:50PM -0800, Jitesh Shah wrote:
> >So, I picked up the sign_unsigned.py script from releng. I replaced the
> > keys in there with our keys, tweaked some minor stuff here and there and
> > managed to get it running. I use it as
> >"./sign_unsigned.py --level <level> <tag-name>"
> >and it runs alright. I can see that the signatures are cached under the
> > sigcache directory (but NOT embedded in the rpms themselves, which makes
> > sense since the rpm can probably be a part of different tags and might be
> > signed differently within each tag)
> >
> >So, I thought, well, mash would be the one which'll embed the keys in the
> > rpms. So, I set strict_keys to True.. added my key to the keys list in my
> > .mash file. mash has no problems with the rpms and it can verify the
> > signatures alright. But, it still doesn't embed the signatures in the rpm
> > (is it supposed to?). So, the created repository still has all rpms
> > unsigned.
> >
> >What am I missing here? where to the rpms get signed actually?
> 
> The sign_unsigned script should eventually do a koji API call to do
> 'write-signed-rpm' on the packages you are signing.  That will assemble
>  signed RPMs in koji itself, which mash will download and used.
> 
> Fedora Rel-Eng doesn't use sign_unsigned anymore because we have a signing
> server setup now.  However, it should still work.
it still works. EPEL releng still uses it. you need to make sure to add --
write-rpms to you command. the signed rpms will then get written.

Dennis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/buildsys/attachments/20091111/3acd99f8/attachment.bin