On Wednesday 11 November 2009 07:15:36 am Josh Boyer wrote: > On Tue, Nov 10, 2009 at 11:24:50PM -0800, Jitesh Shah wrote: > >So, I picked up the sign_unsigned.py script from releng. I replaced the > > keys in there with our keys, tweaked some minor stuff here and there and > > managed to get it running. I use it as > >"./sign_unsigned.py --level <level> <tag-name>" > >and it runs alright. I can see that the signatures are cached under the > > sigcache directory (but NOT embedded in the rpms themselves, which makes > > sense since the rpm can probably be a part of different tags and might be > > signed differently within each tag) > > > >So, I thought, well, mash would be the one which'll embed the keys in the > > rpms. So, I set strict_keys to True.. added my key to the keys list in my > > .mash file. mash has no problems with the rpms and it can verify the > > signatures alright. But, it still doesn't embed the signatures in the rpm > > (is it supposed to?). So, the created repository still has all rpms > > unsigned. > > > >What am I missing here? where to the rpms get signed actually? > > The sign_unsigned script should eventually do a koji API call to do > 'write-signed-rpm' on the packages you are signing. That will assemble > signed RPMs in koji itself, which mash will download and used. > > Fedora Rel-Eng doesn't use sign_unsigned anymore because we have a signing > server setup now. However, it should still work. it still works. EPEL releng still uses it. you need to make sure to add -- write-rpms to you command. the signed rpms will then get written.
Dennis
signature.asc
Description: This is a digitally signed message part.
-- Fedora-buildsys-list mailing list Fedora-buildsys-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
