Should Fedora rpms be signed?

Matias Féliciano feliciano.matias at free.fr
Fri Oct 29 23:11:59 UTC 2004 

Le vendredi 29 octobre 2004 à 16:33 -0600, Rodolfo J. Paiz a écrit :
> On Fri, 2004-10-29 at 22:56 +0200, Matias Féliciano wrote:
> > But I don't think it's easer to sign a repository than all the packages.
> > 
> > For signing a repository, one command line would be used [...]
> > For signing all packages, one command line would be used [...]
> > 
> > If Red Hat can use one of these methods, they can easily do both (It's
> > seems).
> 
> Your logic is seriously flawed. The repository is created once, and
> updated on a specific and regular schedule. The entire repository
> metadata is signed at one time and in a predictable fashion.
> 
> Precisely the problem which has been pointed out about signing every
> package is that there is no one around at the particular time when a few
> packages are finally ready, and it is those that do not get signed. But
> all packages are finished at different times, so it is impractical to
> suggest that all packages can be signed together with a single command.
> 

Since rawhide have some unsigned packages I like to know which package
is not signed and I sign them with my key (so yum always have
"gpgcheck=1") :
I mirror rawhide in the i386 directory with rsync, and then I sign
package that miss gpg.
Note, I don't sign (that is, change) any package in i386 directory
(rsync does not like this).

add_sign.sh (an ugly personal script) :
#!/bin/bash
cd i386
# copy newly unsigned package to i386_s and sign them.
find *.rpm -not -exec test -f ../i386_s/{} \; -print0 | xargs -0 rpm -K | grep "md5 OK$" | sed -n -e "s/:.*$//p" | xargs -i bash -c "cp {} ../i386_s ; echo {}" | ( cd ../i386_s/ ; xargs rpm --addsign )
# remove old package in i386_s
cd ../i386_s
find *.rpm -not -exec test -f ../i386/{} \; -print0 | xargs -0 rm -f
# add missing symbolic links from i386_s to i386
cd ../i386
find *.rpm -not -exec test -f ../i386_s/{} \; -printf "../i386/%f\0" | xargs -0 ln -s -v --target-directory=../i386_s

In i386_s, I have something like :
lrwxrwxrwx  1 admin   admin       31 oct 22 16:22 indent-2.2.9-6.i386.rpm -> ../i386/indent-2.2.9-6.i386.rpm
lrwxrwxrwx  1 admin   admin       33 oct 22 16:22 inews-2.3.5-11.1.i386.rpm -> ../i386/inews-2.3.5-11.1.i386.rpm
lrwxrwxrwx  1 admin   admin       27 oct 22 16:22 info-4.7-5.i386.rpm -> ../i386/info-4.7-5.i386.rpm
-rw-rw-r--  1 admin   admin  1078855 oct 28 18:46 initscripts-7.93.2-1.i386.rpm
lrwxrwxrwx  1 admin   admin       31 oct 22 16:22 inn-2.3.5-11.1.i386.rpm -> ../i386/inn-2.3.5-11.1.i386.rpm
lrwxrwxrwx  1 admin   admin       37 oct 22 16:22 inn-devel-2.3.5-11.1.i386.rpm -> ../i386/inn-devel-2.3.5-11.1.i386.rpm

Then I run createrepo in this directory,
I use ONE "rpm --addsign".

Since, as you pointed, the repository is signed ONE time (per day :-)),
at the moment when the repository is ready to be signed, ALL unsigned
packages are available (I mean, ready to be signed).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message
	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
Url : http://lists.fedoraproject.org/pipermail/test/attachments/20041030/b64748a9/attachment.bin

More information about the test mailing list