Koji and Signing RPMS
Jesse Keating
jkeating at redhat.com
Wed Aug 19 17:52:01 UTC 2009
On Wed, 2009-08-19 at 12:02 -0400, Mike McLean wrote:
> On 08/19/2009 05:08 AM, Greg Trahair wrote:
> > I'm using Koji in combination with Mash to create rpms, but at the
> > moment I'm not signing them and I need to start that now. I'm finding
> > it quite hard to find any way that the koji/mash combination can do this
> > without me having to create my own mechanism.
>
> Koji does not have an internal signing mechanism. It tracks signatures
> and can store differently signed copies of the same rpm efficiently, but
> it does not create signatures.
>
> If you import a signed rpm, koji will import the signature. You can
> import signatures for an rpm later by using the import-sig subcommand.
>
> The basic tool for signing rpms is rpm itself.
> http://docs.fedoraproject.org/drafts/rpm-guide-en/ch11s04.html
>
> To sign an rpm from koji, you should make a copy of the file, sign it
> with the appropriate rpm command, and import the signature. Fedora
> rel-eng has a script to help automate this. Note that you should not
> simply sign the file directly under /mnt/koji, as this causes an
> inconsistency between the filesystem and the database (hence the copy step).
>
> https://fedorahosted.org/rel-eng/browser/scripts/sign_unsigned.py
A recent project was started to create a secure signing server for doing
these types of operations: https://fedorahosted.org/sigul/
https://fedorahosted.org/rel-eng/browser/scripts/sigulsign_unsigned.py
has been written to use the sigul setup.
--
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-buildsys-list/attachments/20090819/abb53411/attachment.sig>
More information about the Fedora-buildsys-list
mailing list