#5870: rawhide signing

[Fedora Release Engineering]

#5870: rawhide signing
-----------------------------+------------------------
 Reporter:  kevin            |       Owner:  rel-eng@…
     Type:  task             |      Status:  new
Milestone:  Fedora 21 Final  |   Component:  koji
 Keywords:  meeting          |  Blocked By:
 Blocking:                   |
-----------------------------+------------------------
 We have talked a number of times about getting rawhide packages signed,
 but haven't been able to come up with a solution that is secure and meets
 our needs. We should try and do so. :)

 This came up again today because gnome-software has different code paths
 for signed/unsigned content and they would very much like rawhide to be
 signed so it tests the same code as for stable releases.

 * There is a koji plugin to sign all builds, but it's not implemented in a
 very nice way and stores it's keys/passphrases in clear text files on the
 hub.

 * Manually signing with sigul could be done, but since there's no gating,
 it would mean either large amounts of packages would go out unsigned or
 composes would fail for unsigned packages often.

 * Additional space would be taken up by more signed rpms/signatures.

 * Any solution we come up with could possibly be also used by copr, which
 also wishes to sign builds in an unattended manner.

 Ideas welcome. ;)

-- 
Ticket URL: <https://fedorahosted.org/rel-eng/ticket/5870>
Fedora Release Engineering <http://fedorahosted.org/rel-eng>
Release Engineering for the Fedora Project