Signing built RPMs or how to create signed RPMs.
Oliver Falk
oliver at linux-kernel.at
Tue Dec 14 13:12:14 UTC 2010
On 12/14/2010 02:03 PM, Josh Boyer wrote:
> On Tue, Dec 14, 2010 at 7:58 AM, Oliver Falk<oliver at linux-kernel.at> wrote:
>>> There are no dirty tricks. It essentially goes:
>>>
>>> 1) RPMs built in koji
>>> 2) sign_unsigned.py is run against various koji tags. Either
>>> dist-f1x-candidates or dist-f1x-updates-testing, or whichever need to
>>> be signed. NOTE: rawhide is not signed
>>> 3) mash is run against the tag after the RPMs have all been signed.
>>> 4) Bodhi does some symlink switching after all the mashes have
>>> completed successfully and the new repos are pushed to the mirrors.
>>>
>>> That's it. No tricks, nothing super efficient.
>>>
>>> At some point, there was discussion on having koji do the signing
>>> automatically after a build completes. I think that is still a long
>>> term plan, but it requires a project to use a single key for all
>>> packages.
>>
>>
>> Sorry Josh. This wasn't meant as offence! I just never saw any
>> documentation about this part - maybe I just didn't look hard enough. :-)
>
> Oh, I wasn't offended in the slightest.
Fine.
> If anything I was wishing we had dirty tricks, because how it is
> done right now is fairly inefficient.
That's true!
> And yes, there should be more documentation in this area under the
> RelEng SOPs. I'll take the blame for that, as I never got around to
> writing it.
:-) I know that problem!
-of
More information about the buildsys
mailing list