#5870: rawhide signing

[Fedora Release Engineering]

#5870: rawhide signing
------------------------------+-----------------------
  Reporter:  kevin            |      Owner:  rel-eng@…
      Type:  task             |     Status:  new
 Milestone:  Fedora 21 Final  |  Component:  koji
Resolution:                   |   Keywords:  meeting
Blocked By:                   |   Blocking:
------------------------------+-----------------------

Comment (by bochecha):

 For what is worth, I've been working on something similar for $dayjob:
 https://github.com/network-box/kojihub-posttag-sign

 It's a Koji Hub plugin which will sign packages when they are tagged. (the
 list of tags for which to sign packages is configurable).

 You can configure a "signing command", which in our case is just a ssh
 call to our signing server (it takes the content of the rpm as stdin, and
 returns the signed rpm on stdout).

 This way, neither the private key nor the passphrase are on the Koji Hub
 (they are only on our signing server, which is quite restricted).

 Of course, that might not work for Fedora anyway. After all, Fedora has
 some additional constraints that we don't, most importantly that the
 Fedora machines are publicly accessible. (our stuff is all private to our
 internal network)

-- 
Ticket URL: <https://fedorahosted.org/rel-eng/ticket/5870#comment:7>
Fedora Release Engineering <http://fedorahosted.org/rel-eng>
Release Engineering for the Fedora Project