Signing RPMs

Steve Traylen steve.traylen at cern.ch
Wed Nov 11 16:11:13 UTC 2009 

On Wed, Nov 11, 2009 at 5:08 PM, Dennis Gilmore <dennis at ausil.us> wrote:
> On Wednesday 11 November 2009 07:15:36 am Josh Boyer wrote:
>> On Tue, Nov 10, 2009 at 11:24:50PM -0800, Jitesh Shah wrote:
>> >So, I picked up the sign_unsigned.py script from releng. I replaced the
>> > keys in there with our keys, tweaked some minor stuff here and there and
>> > managed to get it running. I use it as
>> >"./sign_unsigned.py --level <level> <tag-name>"
>> >and it runs alright. I can see that the signatures are cached under the
>> > sigcache directory (but NOT embedded in the rpms themselves, which makes
>> > sense since the rpm can probably be a part of different tags and might be
>> > signed differently within each tag)
>> >
>> >So, I thought, well, mash would be the one which'll embed the keys in the
>> > rpms. So, I set strict_keys to True.. added my key to the keys list in my
>> > .mash file. mash has no problems with the rpms and it can verify the
>> > signatures alright. But, it still doesn't embed the signatures in the rpm
>> > (is it supposed to?). So, the created repository still has all rpms
>> > unsigned.
>> >
>> >What am I missing here? where to the rpms get signed actually?
>>
>> The sign_unsigned script should eventually do a koji API call to do
>> 'write-signed-rpm' on the packages you are signing.  That will assemble
>>  signed RPMs in koji itself, which mash will download and used.
>>
>> Fedora Rel-Eng doesn't use sign_unsigned anymore because we have a signing
>> server setup now.  However, it should still work.
> it still works. EPEL releng still uses it. you need to make sure to add --
> write-rpms to you command. the signed rpms will then get written.
>

I to have wanted to get this to work.

I expect I have my key definition wrong, traceback below.

I have,
        self.gpg_keys = {
            '89D891FB': { 'name': 'oatrelease',
                          'description': 'EGEE SA1 (Operations
Automation Team) <egee3-operations-automation-discuss at cern.ch>',
                          }                        }

with

$ gpg --list-keys
/home/sign/.gnupg/pubring.gpg
-----------------------------
pub   1024D/47EBAC2B 2009-11-11 [expires: 2019-11-09]
uid                  EGEE SA1 (Operations Automation Team)
<egee3-operations-automation-discuss at cern.ch>
sub   2048g/89D891FB 2009-11-11 [expires: 2019-11-09]




Traceback (most recent call last):
  File "./sign_unsigned.py", line 734, in <module>
    x.run_command()
  File "./sign_unsigned.py", line 285, in run_command
    cmd()
  File "./sign_unsigned.py", line 728, in cmd_default
    self.sign_to_cache(uncached, self.options.level)
  File "./sign_unsigned.py", line 638, in sign_to_cache
    self.do_signing(pkglist, level)
  File "./sign_unsigned.py", line 601, in do_signing
    cmd = self.get_signing_command(level, mypaths[:nlen],
server=self.options.server)
  File "./sign_unsigned.py", line 587, in get_signing_command
    if self.gpg_keys[keyid]['size'] == 4096:
KeyError: None







> Dennis
>
> --
> Fedora-buildsys-list mailing list
> Fedora-buildsys-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
>



-- 
Steve Traylen

More information about the buildsys mailing list