how can I sign rpms in koji?
Mátyás Selmeci
matyas at cs.wisc.edu
Sat Jan 17 03:03:21 UTC 2015
On 01/16/15 20:19, Dennis Gilmore wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, 16 Jan 2015 13:25:45 -0600
> Mátyás Selmeci <matyas at cs.wisc.edu> wrote:
>
>> On 01/16/15 11:53, Dennis Gilmore wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On Fri, 16 Jan 2015 10:44:40 -0600
>>> Mátyás Selmeci <matyas at cs.wisc.edu> wrote:
>>>
>>>> On 01/16/15 01:39, Miroslav Suchý wrote:
>>>>> On 01/16/2015 03:30 AM, Mátyás Selmeci wrote:
>>>>>> I have imported several rpms into our koji without realizing that
>>>>>> they were unsigned. I'd like to sign them with our gpg key, but I
>>>>>> can't figure out how to do that after the fact. We use the
>>>>>> signing plugin from https://fedorahosted.org/koji/ticket/203,
>>>>>> but that only works for rpms we build ourselves.
>>>>> You might find usefull:
>>>>> https://fedorahosted.org/katello/wiki/ReleasingKatello#Signpackages
>>>>> This describe how to sign packages in Katello private Koji
>>>>> instance.
>>>>>
>>>>> tl;dr version
>>>>> Just sign those packages and:
>>>>> koji -c ~/.koji/your-config import-sig *.rpm
>>>>> And they will appear as signed on koji.
>>>> I tried that, then I did koji write-signed-rpm, and now I have both
>>>> signed and unsigned RPMs in my packages directory. Then I did a
>>>> koji regen-repo and tried to do an install from the newly created
>>>> repo, but it's the unsigned package that got picked up. Is there
>>>> any way around that? -Mat
>>> you have to use mash to make a repo with the signed rpms
>>>
>>> Dennis
>> Is there no way for me to delete the old rpms and reimport them?
>> -Mat
> koji always keeps the unsigned rpms and the signature headers. you can
> clean up the the signed rpms but not teh unsigned ones. koji always
> makes its repos with unsigned rpms. deleting and reimporting will get
> you to exactly the same place as you are now.
>
> Dennis
Actually, it looks like when the rpms are signed from the start, then
the repos get made with the signed rpms -- at least that's what the
behavior appears to be in koji 1.6.0. I just need to know what metadata
to delete so that I don't get "Package does not match intended download"
errors when I try to use those RPMs.
-Mat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3521 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/buildsys/attachments/20150116/9bcee283/attachment.p7s>
More information about the buildsys
mailing list