Koji and Signing RPMS

Jesse Keating jkeating at redhat.com
Wed Aug 19 17:52:01 UTC 2009


On Wed, 2009-08-19 at 12:02 -0400, Mike McLean wrote:
> On 08/19/2009 05:08 AM, Greg Trahair wrote:
> > I'm using Koji in combination with Mash to create rpms, but at the
> > moment I'm not signing them and I need to start that now.  I'm finding
> > it quite hard to find any way that the koji/mash combination can do this
> > without me having to create my own mechanism.
> 
> Koji does not have an internal signing mechanism. It tracks signatures 
> and can store differently signed copies of the same rpm efficiently, but 
> it does not create signatures.
> 
> If you import a signed rpm, koji will import the signature. You can 
> import signatures for an rpm later by using the import-sig subcommand.
> 
> The basic tool for signing rpms is rpm itself.
> http://docs.fedoraproject.org/drafts/rpm-guide-en/ch11s04.html
> 
> To sign an rpm from koji, you should make a copy of the file, sign it 
> with the appropriate rpm command, and import the signature. Fedora 
> rel-eng has a script to help automate this. Note that you should not 
> simply sign the file directly under /mnt/koji, as this causes an 
> inconsistency between the filesystem and the database (hence the copy step).
> 
> https://fedorahosted.org/rel-eng/browser/scripts/sign_unsigned.py

A recent project was started to create a secure signing server for doing
these types of operations: https://fedorahosted.org/sigul/

https://fedorahosted.org/rel-eng/browser/scripts/sigulsign_unsigned.py
has been written to use the sigul setup.

-- 
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-buildsys-list/attachments/20090819/abb53411/attachment.sig>


More information about the Fedora-buildsys-list mailing list