#5870: rawhide signing
Fedora Release Engineering
rel-eng at fedoraproject.org
Thu Mar 20 08:03:22 UTC 2014
#5870: rawhide signing
------------------------------+-----------------------
Reporter: kevin | Owner: rel-eng@…
Type: task | Status: new
Milestone: Fedora 21 Final | Component: koji
Resolution: | Keywords: meeting
Blocked By: | Blocking:
------------------------------+-----------------------
Comment (by bochecha):
For what is worth, I've been working on something similar for $dayjob:
https://github.com/network-box/kojihub-posttag-sign
It's a Koji Hub plugin which will sign packages when they are tagged. (the
list of tags for which to sign packages is configurable).
You can configure a "signing command", which in our case is just a ssh
call to our signing server (it takes the content of the rpm as stdin, and
returns the signed rpm on stdout).
This way, neither the private key nor the passphrase are on the Koji Hub
(they are only on our signing server, which is quite restricted).
Of course, that might not work for Fedora anyway. After all, Fedora has
some additional constraints that we don't, most importantly that the
Fedora machines are publicly accessible. (our stuff is all private to our
internal network)
--
Ticket URL: <https://fedorahosted.org/rel-eng/ticket/5870#comment:7>
Fedora Release Engineering <http://fedorahosted.org/rel-eng>
Release Engineering for the Fedora Project
More information about the rel-eng
mailing list