On Wed, 2009-08-19 at 12:02 -0400, Mike McLean wrote: > On 08/19/2009 05:08 AM, Greg Trahair wrote: > > I'm using Koji in combination with Mash to create rpms, but at the > > moment I'm not signing them and I need to start that now. I'm finding > > it quite hard to find any way that the koji/mash combination can do this > > without me having to create my own mechanism. > > Koji does not have an internal signing mechanism. It tracks signatures > and can store differently signed copies of the same rpm efficiently, but > it does not create signatures. > > If you import a signed rpm, koji will import the signature. You can > import signatures for an rpm later by using the import-sig subcommand. > > The basic tool for signing rpms is rpm itself. > http://docs.fedoraproject.org/drafts/rpm-guide-en/ch11s04.html > > To sign an rpm from koji, you should make a copy of the file, sign it > with the appropriate rpm command, and import the signature. Fedora > rel-eng has a script to help automate this. Note that you should not > simply sign the file directly under /mnt/koji, as this causes an > inconsistency between the filesystem and the database (hence the copy step). > > https://fedorahosted.org/rel-eng/browser/scripts/sign_unsigned.py
A recent project was started to create a secure signing server for doing these types of operations: https://fedorahosted.org/sigul/ https://fedorahosted.org/rel-eng/browser/scripts/sigulsign_unsigned.py has been written to use the sigul setup. -- Jesse Keating Fedora -- FreedomĀ² is a feature! identi.ca: http://identi.ca/jkeating
signature.asc
Description: This is a digitally signed message part
-- Fedora-buildsys-list mailing list Fedora-buildsys-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list