New package gpg signature acceptance test (was Latest FC13 kernel rejected as unsigned)
Bill Nottingham
notting at redhat.com
Fri Apr 9 15:00:52 UTC 2010
James Laska (jlaska at redhat.com) said:
> On Fri, 2010-04-09 at 08:38 -0400, Bill Davidsen wrote:
> > The rpm kernel-2.6.33.1-19.fc13_2.6.33.1-24.fc13.x86_64.drpm downloaded, then it
> > looks as if it created an rpm by applying the delta and decided the rpm wasn't
> > signed? And there's also an rpm kernel-2.6.33.1-24.fc13.x86_64.rpm, which I
> > assume is the rpm created by the delta.
> >
> > Is this some download error, or is there another problem with unsigned packages
> > getting into the repos? I did repeat the download, same CRC...
>
> Seems worthy to add a package acceptance criteria to the Package Update
> Acceptance Criteria [1] similar to the following:
>
> * Packages must be signed with a valid Fedora GPG signature
>
> I guess one could argue that the existing criteria "Packages must be
> able to install cleanly" would include valid signatures. But it doesn't
> hurt to be specific here.
>
> Comments/concerns/ideas?
The process flow is:
1. package is built in koji
<any delay from maintainer>
2. update is submitted in bodhi
<delay until next push>
3. package is signed
<then nearly instantaneously>
4. package is pushed
The checks we've added in the criteria so far would almost all be done
between 1) and 2), or right after 2). Checking for signature doesn't
fit in at the same point in the workflow.
That being said, bodhi's supposed to bounce the packages if they aren't
signed.
Bill
More information about the test
mailing list