Re: Signing RPMs

2009-11-11 Thread Dennis Gilmore 
On Wednesday 11 November 2009 07:15:36 am Josh Boyer wrote:
 On Tue, Nov 10, 2009 at 11:24:50PM -0800, Jitesh Shah wrote:
 So, I picked up the sign_unsigned.py script from releng. I replaced the
  keys in there with our keys, tweaked some minor stuff here and there and
  managed to get it running. I use it as
 ./sign_unsigned.py --level level tag-name
 and it runs alright. I can see that the signatures are cached under the
  sigcache directory (but NOT embedded in the rpms themselves, which makes
  sense since the rpm can probably be a part of different tags and might be
  signed differently within each tag)
 
 So, I thought, well, mash would be the one which'll embed the keys in the
  rpms. So, I set strict_keys to True.. added my key to the keys list in my
  .mash file. mash has no problems with the rpms and it can verify the
  signatures alright. But, it still doesn't embed the signatures in the rpm
  (is it supposed to?). So, the created repository still has all rpms
  unsigned.
 
 What am I missing here? where to the rpms get signed actually?
 
 The sign_unsigned script should eventually do a koji API call to do
 'write-signed-rpm' on the packages you are signing.  That will assemble
  signed RPMs in koji itself, which mash will download and used.
 
 Fedora Rel-Eng doesn't use sign_unsigned anymore because we have a signing
 server setup now.  However, it should still work.
it still works. EPEL releng still uses it. you need to make sure to add --
write-rpms to you command. the signed rpms will then get written.

Dennis


signature.asc
Description: This is a digitally signed message part.
--
Fedora-buildsys-list mailing list
Fedora-buildsys-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-buildsys-list

Re: Signing RPMs

2009-11-11 Thread Jitesh Shah 
..snip..
  
  The sign_unsigned script should eventually do a koji API call to do
  'write-signed-rpm' on the packages you are signing.  That will assemble
   signed RPMs in koji itself, which mash will download and used.
  
  Fedora Rel-Eng doesn't use sign_unsigned anymore because we have a signing
  server setup now.  However, it should still work.
 it still works. EPEL releng still uses it. you need to make sure to add --
 write-rpms to you command. the signed rpms will then get written.

Nice! that was what I was missing! The signed rpms are now being written
in the 'signed' directory. 

Thankyou Dennis and Josh.


 
 Dennis


Jitesh

--
Fedora-buildsys-list mailing list
Fedora-buildsys-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-buildsys-list

mock-0.9.19 on CentOS5/RHEL5

2009-11-11 Thread Florian La Roche 
Hello,

if you want to run the newest version of mock (0.9.19)
with RHEL5/CentOS5, you can use a backported version from:

http://www.jur-linux.org/rpms/el-updates/5/SRPMS/mock-0.9.19-1.el5.src.rpm
http://www.jur-linux.org/rpms/el-updates/5/i386/mock-0.9.19-1.el5.noarch.rpm

regards,

Florian La Roche

--
Fedora-buildsys-list mailing list
Fedora-buildsys-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-buildsys-list

Re: Signing RPMs

2009-11-11 Thread Jitesh Shah 
..snip..
 
 I to have wanted to get this to work.
 
 I expect I have my key definition wrong, traceback below.
 
 I have,
 self.gpg_keys = {
 '89D891FB': { 'name': 'oatrelease',
   'description': 'EGEE SA1 (Operations
 Automation Team) egee3-operations-automation-disc...@cern.ch',
   }}
 
 with
 
 $ gpg --list-keys
 /home/sign/.gnupg/pubring.gpg
 -
 pub   1024D/47EBAC2B 2009-11-11 [expires: 2019-11-09]
 uid  EGEE SA1 (Operations Automation Team)
 egee3-operations-automation-disc...@cern.ch
 sub   2048g/89D891FB 2009-11-11 [expires: 2019-11-09]

Steve, you are using the subkey. You probably want to use the master
signing key i.e. the one listed under pub (47EBAC2B in your case)

Jitesh

 
 
 
 
 Traceback (most recent call last):
   File ./sign_unsigned.py, line 734, in module
 x.run_command()
   File ./sign_unsigned.py, line 285, in run_command
 cmd()
   File ./sign_unsigned.py, line 728, in cmd_default
 self.sign_to_cache(uncached, self.options.level)
   File ./sign_unsigned.py, line 638, in sign_to_cache
 self.do_signing(pkglist, level)
   File ./sign_unsigned.py, line 601, in do_signing
 cmd = self.get_signing_command(level, mypaths[:nlen],
 server=self.options.server)
   File ./sign_unsigned.py, line 587, in get_signing_command
 if self.gpg_keys[keyid]['size'] == 4096:
 KeyError: None
 
 
 
 
 
 
 
  Dennis
 
  --
  Fedora-buildsys-list mailing list
  Fedora-buildsys-list@redhat.com
  https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
 
 
 
 

--
Fedora-buildsys-list mailing list
Fedora-buildsys-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-buildsys-list