Signing built RPMs or how to create signed RPMs.
Christos Triantafyllidis
ctria at grid.auth.gr
Tue Dec 14 13:20:26 UTC 2010
On Dec 14, 2010, at 2:50 PM, Josh Boyer wrote:
> On Tue, Dec 14, 2010 at 2:49 AM, Oliver Falk <oliver at linux-kernel.at> wrote:
>> Hi Allen!
>>
>> I'm not sure how the Fedora guys do it... There's a lot of black
>> (scripting) magic involved I guess. :-)
>>
>> And yes, the script is already using the the larger key size, but that's
>> not hard to "fix"...
>>
>> Come on guys, show us your dirty little tricks! :-P
>
> There are no dirty tricks. It essentially goes:
>
> 1) RPMs built in koji
> 2) sign_unsigned.py is run against various koji tags. Either
> dist-f1x-candidates or dist-f1x-updates-testing, or whichever need to
> be signed. NOTE: rawhide is not signed
> 3) mash is run against the tag after the RPMs have all been signed.
> 4) Bodhi does some symlink switching after all the mashes have
> completed successfully and the new repos are pushed to the mirrors.
>
> That's it. No tricks, nothing super efficient.
>
> At some point, there was discussion on having koji do the signing
> automatically after a build completes. I think that is still a long
> term plan, but it requires a project to use a single key for all
> packages.
>
> josh
Hi Josh, all,
i'm reading this thread and i think that i've missed some point. What is the purpose of signing an RPM if you sign it on an online machine? I haven't seen the sign_unsigned.py source yet but i guess what should be there is a mechanism that should download the unsigned RPMs, then a manual operation of RPM sign (possibly on an offline or at least access restricted node), and then another script to import the signed RPMs (or just the signatures).
Am i seeing this from a wrong perspective? does Fedora really sign the RPMs online? I guess this gets even worse if the sign operation is done more efficiently, automatically after each koji build.
I hope i don't sound offensive, but these were my thoughts as i want/need to implement something like this in our local koji installation and i hoped that you were using something more sophisticated.
Regards,
Christos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3330 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/buildsys/attachments/20101214/81b88740/attachment.bin
More information about the buildsys
mailing list