Signing built RPMs or how to create signed RPMs.

Christos Triantafyllidis ctria at grid.auth.gr
Tue Dec 14 13:20:26 UTC 2010 

On Dec 14, 2010, at 2:50 PM, Josh Boyer wrote:

> On Tue, Dec 14, 2010 at 2:49 AM, Oliver Falk <oliver at linux-kernel.at> wrote:
>> Hi Allen!
>> 
>> I'm not sure how the Fedora guys do it... There's a lot of black
>> (scripting) magic involved I guess. :-)
>> 
>> And yes, the script is already using the the larger key size, but that's
>> not hard to "fix"...
>> 
>> Come on guys, show us your dirty little tricks! :-P
> 
> There are no dirty tricks.  It essentially goes:
> 
> 1) RPMs built in koji
> 2) sign_unsigned.py is run against various koji tags.  Either
> dist-f1x-candidates or dist-f1x-updates-testing, or whichever need to
> be signed.  NOTE: rawhide is not signed
> 3) mash is run against the tag after the RPMs have all been signed.
> 4) Bodhi does some symlink switching after all the mashes have
> completed successfully and the new repos are pushed to the mirrors.
> 
> That's it.  No tricks, nothing super efficient.
> 
> At some point, there was discussion on having koji do the signing
> automatically after a build completes.  I think that is still a long
> term plan, but it requires a project to use a single key for all
> packages.
> 
> josh

Hi Josh, all,

  i'm reading this thread and i think that i've missed some point. What is the purpose of signing an RPM if you sign it on an online machine? I haven't seen the sign_unsigned.py source yet but i guess what should be there is a mechanism that should download the unsigned RPMs, then a manual operation of RPM sign (possibly on an offline or at least access restricted node), and then another script to import the signed RPMs (or just the signatures).

  Am i seeing this from a wrong perspective? does Fedora really sign the RPMs online? I guess this gets even worse if the sign operation is done more efficiently, automatically after each koji build.

   I hope i don't sound offensive, but these were my thoughts as i want/need to implement something like this in our local koji installation and i hoped that you were using something more sophisticated.

Regards,
Christos

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3330 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/buildsys/attachments/20101214/81b88740/attachment.bin

More information about the buildsys mailing list