Signing built RPMs or how to create signed RPMs.
Oliver Falk
oliver at linux-kernel.at
Tue Dec 14 07:49:14 UTC 2010
Hi Allen!
I'm not sure how the Fedora guys do it... There's a lot of black
(scripting) magic involved I guess. :-)
And yes, the script is already using the the larger key size, but that's
not hard to "fix"...
Come on guys, show us your dirty little tricks! :-P
Best,
Oliver
Am 14.12.2010 06:54, schrieb Allen Hewes:
>
>>
>> Hi Allen!
>>
>> You might want to look at the following post:
>>
>> http://www.mail-archive.com/fedora-buildsys-list@redhat.com/ms
> g02187.html
>>
>> -of
>
> Hi Oliver,
>
> Thanks for link. I had not come across this thread.
>
> It would appear that currently there isn't any method to sign RPMs within koji or mash. You can import prebuilt RPMs with signatures into Koji. I don't know much about importing RPMs into koji because I haven't had a need.
>
> Do the Fedora guys use the sign_unsigned.py script for the official Fedora yum repos? If so, how do they use mash? Because it looks to me that if you use this script, it does one of the steps mash does; fetching RPMs out of koji tags.
>
> I would have guessed that the Fedora guys generate their yum repos via mash from koji tags and then sign RPMs.
>
> I'd have to modify this script to suit my needs, but I think I could do it. It also looks like it relies on a newer version of RPM, the rpm command for key size == 4096 is one spot I noticed.
>
> Also, I have to enter a passphrase when I sign my RPMs but this script doesn't have any provisions for that. Is there a way to make rpm --resign not prompt for a passphrase?
>
> Has there been any talk about adding RPM signing to mash? It seems like that'd be a good place for it.
>
> Thanks,
>
> /allen
> --
> buildsys mailing list
> buildsys at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/buildsys
More information about the buildsys
mailing list