Hi Jesse! Just want to mention, that sigul might be a bit too much effort for a private (or even corporate) koji setup...
-of Am 14.12.2010 19:17, schrieb Jesse Keating: > On 12/13/10 9:54 PM, Allen Hewes wrote: >> >>> >>> Hi Allen! >>> >>> You might want to look at the following post: >>> >>> http://www.mail-archive.com/[email protected]/ms >> g02187.html >>> >>> -of >> >> Hi Oliver, >> >> Thanks for link. I had not come across this thread. >> >> It would appear that currently there isn't any method to sign RPMs >> within koji or mash. You can import prebuilt RPMs with signatures >> into Koji. I don't know much about importing RPMs into koji because I >> haven't had a need. >> >> Do the Fedora guys use the sign_unsigned.py script for the official >> Fedora yum repos? If so, how do they use mash? Because it looks to me >> that if you use this script, it does one of the steps mash does; >> fetching RPMs out of koji tags. >> >> I would have guessed that the Fedora guys generate their yum repos >> via mash from koji tags and then sign RPMs. >> >> I'd have to modify this script to suit my needs, but I think I could >> do it. It also looks like it relies on a newer version of RPM, the >> rpm command for key size == 4096 is one spot I noticed. >> >> Also, I have to enter a passphrase when I sign my RPMs but this >> script doesn't have any provisions for that. Is there a way to make >> rpm --resign not prompt for a passphrase? >> >> Has there been any talk about adding RPM signing to mash? It seems >> like that'd be a good place for it. >> > > I think there is some confusion here. sign_unsigned.py was our old > tool. I wrote a new one when we started using the sigul secure signing > backend. > https://fedorahosted.org/rel-eng/browser/scripts/sigulsign_unsigned.py > > This client interacts with the sigul bridge, which then interacts with > the sigul server to actually rpmsign the files. Then the signed headers > get imported into koji, and we ask koji to write out a set of the rpms > with the signed headers. It's these signed copies that mash would fetch > (if so configured). > > Because we do composes in automated or semi-automated fashion, and often > these composes re-use many existing packages, it doesn't make sense to > mash and then some hours later come back to punch in a passphrase to > (re)sign a ton of rpms. We sign and store them in koji so that they can > be fetched later by automated tools. > -- buildsys mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/buildsys
