Re: Signing RPMs
On Thu, 2009-11-12 at 09:38 +0100, Steve Traylen wrote: > The full edited script is here > > http://cern.ch/steve.traylen/tmp/oat-sign_unsigned.py > > is there something else I need to change? The traceback is looking in the dict of your key for a size, as gpg keys can come in many sizes and shapes, the script acts differently depending on the size of the key. -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating signature.asc Description: This is a digitally signed message part -- Fedora-buildsys-list mailing list Fedora-buildsys-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
Re: Signing RPMs
On Thu, Nov 12, 2009 at 8:10 AM, Jitesh Shah wrote:
> ..snip..
>>
>> I to have wanted to get this to work.
>>
>> I expect I have my key definition wrong, traceback below.
>>
>> I have,
>> self.gpg_keys = {
>> '89D891FB': { 'name': 'oatrelease',
>> 'description': 'EGEE SA1 (Operations
>> Automation Team) ',
>> } }
>>
>> with
>>
snip
>
> Steve, you are using the subkey. You probably want to use the master
> signing key i.e. the one listed under "pub" ("47EBAC2B" in your case)
>
Hi Jitesh,
Switching to the master key similar error as below.
./sign_unsigned.py --just-show dist-fc10
what is the level option?
'47EBAC2B': { 'name': 'oatrelease',
'description': 'EGEE SA1 (Operations
Automation Team) ',
}
Traceback (most recent call last):
File "./sign_unsigned.py", line 734, in
x.run_command()
File "./sign_unsigned.py", line 284, in run_command
cmd()
File "./sign_unsigned.py", line 728, in cmd_default
self.sign_to_cache(uncached, self.options.level)
File "./sign_unsigned.py", line 638, in sign_to_cache
self.do_signing(pkglist, level)
File "./sign_unsigned.py", line 601, in do_signing
cmd = self.get_signing_command(level, mypaths[:nlen],
server=self.options.server)
File "./sign_unsigned.py", line 586, in get_signing_command
if self.gpg_keys[keyid]['size'] == 4096:
KeyError: None
The full edited script is here
http://cern.ch/steve.traylen/tmp/oat-sign_unsigned.py
is there something else I need to change?
> Jitesh
>
>>
>>
>>
>>
>> Traceback (most recent call last):
>> File "./sign_unsigned.py", line 734, in
>> x.run_command()
>> File "./sign_unsigned.py", line 285, in run_command
>> cmd()
>> File "./sign_unsigned.py", line 728, in cmd_default
>> self.sign_to_cache(uncached, self.options.level)
>> File "./sign_unsigned.py", line 638, in sign_to_cache
>> self.do_signing(pkglist, level)
>> File "./sign_unsigned.py", line 601, in do_signing
>> cmd = self.get_signing_command(level, mypaths[:nlen],
>> server=self.options.server)
>> File "./sign_unsigned.py", line 587, in get_signing_command
>> if self.gpg_keys[keyid]['size'] == 4096:
>> KeyError: None
>>
>>
>>
>>
>>
>>
>>
>> > Dennis
>> >
>> > --
>> > Fedora-buildsys-list mailing list
>> > Fedora-buildsys-list@redhat.com
>> > https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
>> >
>>
>>
>>
>
> --
> Fedora-buildsys-list mailing list
> Fedora-buildsys-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
>
--
Steve Traylen
--
Fedora-buildsys-list mailing list
Fedora-buildsys-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
Re: Signing RPMs
..snip..
>
> I to have wanted to get this to work.
>
> I expect I have my key definition wrong, traceback below.
>
> I have,
> self.gpg_keys = {
> '89D891FB': { 'name': 'oatrelease',
> 'description': 'EGEE SA1 (Operations
> Automation Team) ',
> }}
>
> with
>
> $ gpg --list-keys
> /home/sign/.gnupg/pubring.gpg
> -
> pub 1024D/47EBAC2B 2009-11-11 [expires: 2019-11-09]
> uid EGEE SA1 (Operations Automation Team)
>
> sub 2048g/89D891FB 2009-11-11 [expires: 2019-11-09]
Steve, you are using the subkey. You probably want to use the master
signing key i.e. the one listed under "pub" ("47EBAC2B" in your case)
Jitesh
>
>
>
>
> Traceback (most recent call last):
> File "./sign_unsigned.py", line 734, in
> x.run_command()
> File "./sign_unsigned.py", line 285, in run_command
> cmd()
> File "./sign_unsigned.py", line 728, in cmd_default
> self.sign_to_cache(uncached, self.options.level)
> File "./sign_unsigned.py", line 638, in sign_to_cache
> self.do_signing(pkglist, level)
> File "./sign_unsigned.py", line 601, in do_signing
> cmd = self.get_signing_command(level, mypaths[:nlen],
> server=self.options.server)
> File "./sign_unsigned.py", line 587, in get_signing_command
> if self.gpg_keys[keyid]['size'] == 4096:
> KeyError: None
>
>
>
>
>
>
>
> > Dennis
> >
> > --
> > Fedora-buildsys-list mailing list
> > Fedora-buildsys-list@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
> >
>
>
>
--
Fedora-buildsys-list mailing list
Fedora-buildsys-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
Re: Signing RPMs
..snip.. > > > > The sign_unsigned script should eventually do a koji API call to do > > 'write-signed-rpm' on the packages you are signing. That will assemble > > signed RPMs in koji itself, which mash will download and used. > > > > Fedora Rel-Eng doesn't use sign_unsigned anymore because we have a signing > > server setup now. However, it should still work. > it still works. EPEL releng still uses it. you need to make sure to add -- > write-rpms to you command. the signed rpms will then get written. Nice! that was what I was missing! The signed rpms are now being written in the 'signed' directory. Thankyou Dennis and Josh. > > Dennis Jitesh -- Fedora-buildsys-list mailing list Fedora-buildsys-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
Re: Signing RPMs
On Wed, Nov 11, 2009 at 5:08 PM, Dennis Gilmore wrote:
> On Wednesday 11 November 2009 07:15:36 am Josh Boyer wrote:
>> On Tue, Nov 10, 2009 at 11:24:50PM -0800, Jitesh Shah wrote:
>> >So, I picked up the sign_unsigned.py script from releng. I replaced the
>> > keys in there with our keys, tweaked some minor stuff here and there and
>> > managed to get it running. I use it as
>> >"./sign_unsigned.py --level "
>> >and it runs alright. I can see that the signatures are cached under the
>> > sigcache directory (but NOT embedded in the rpms themselves, which makes
>> > sense since the rpm can probably be a part of different tags and might be
>> > signed differently within each tag)
>> >
>> >So, I thought, well, mash would be the one which'll embed the keys in the
>> > rpms. So, I set strict_keys to True.. added my key to the keys list in my
>> > .mash file. mash has no problems with the rpms and it can verify the
>> > signatures alright. But, it still doesn't embed the signatures in the rpm
>> > (is it supposed to?). So, the created repository still has all rpms
>> > unsigned.
>> >
>> >What am I missing here? where to the rpms get signed actually?
>>
>> The sign_unsigned script should eventually do a koji API call to do
>> 'write-signed-rpm' on the packages you are signing. That will assemble
>> signed RPMs in koji itself, which mash will download and used.
>>
>> Fedora Rel-Eng doesn't use sign_unsigned anymore because we have a signing
>> server setup now. However, it should still work.
> it still works. EPEL releng still uses it. you need to make sure to add --
> write-rpms to you command. the signed rpms will then get written.
>
I to have wanted to get this to work.
I expect I have my key definition wrong, traceback below.
I have,
self.gpg_keys = {
'89D891FB': { 'name': 'oatrelease',
'description': 'EGEE SA1 (Operations
Automation Team) ',
}}
with
$ gpg --list-keys
/home/sign/.gnupg/pubring.gpg
-
pub 1024D/47EBAC2B 2009-11-11 [expires: 2019-11-09]
uid EGEE SA1 (Operations Automation Team)
sub 2048g/89D891FB 2009-11-11 [expires: 2019-11-09]
Traceback (most recent call last):
File "./sign_unsigned.py", line 734, in
x.run_command()
File "./sign_unsigned.py", line 285, in run_command
cmd()
File "./sign_unsigned.py", line 728, in cmd_default
self.sign_to_cache(uncached, self.options.level)
File "./sign_unsigned.py", line 638, in sign_to_cache
self.do_signing(pkglist, level)
File "./sign_unsigned.py", line 601, in do_signing
cmd = self.get_signing_command(level, mypaths[:nlen],
server=self.options.server)
File "./sign_unsigned.py", line 587, in get_signing_command
if self.gpg_keys[keyid]['size'] == 4096:
KeyError: None
> Dennis
>
> --
> Fedora-buildsys-list mailing list
> Fedora-buildsys-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
>
--
Steve Traylen
--
Fedora-buildsys-list mailing list
Fedora-buildsys-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
Re: Signing RPMs
On Wednesday 11 November 2009 07:15:36 am Josh Boyer wrote: > On Tue, Nov 10, 2009 at 11:24:50PM -0800, Jitesh Shah wrote: > >So, I picked up the sign_unsigned.py script from releng. I replaced the > > keys in there with our keys, tweaked some minor stuff here and there and > > managed to get it running. I use it as > >"./sign_unsigned.py --level " > >and it runs alright. I can see that the signatures are cached under the > > sigcache directory (but NOT embedded in the rpms themselves, which makes > > sense since the rpm can probably be a part of different tags and might be > > signed differently within each tag) > > > >So, I thought, well, mash would be the one which'll embed the keys in the > > rpms. So, I set strict_keys to True.. added my key to the keys list in my > > .mash file. mash has no problems with the rpms and it can verify the > > signatures alright. But, it still doesn't embed the signatures in the rpm > > (is it supposed to?). So, the created repository still has all rpms > > unsigned. > > > >What am I missing here? where to the rpms get signed actually? > > The sign_unsigned script should eventually do a koji API call to do > 'write-signed-rpm' on the packages you are signing. That will assemble > signed RPMs in koji itself, which mash will download and used. > > Fedora Rel-Eng doesn't use sign_unsigned anymore because we have a signing > server setup now. However, it should still work. it still works. EPEL releng still uses it. you need to make sure to add -- write-rpms to you command. the signed rpms will then get written. Dennis signature.asc Description: This is a digitally signed message part. -- Fedora-buildsys-list mailing list Fedora-buildsys-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
Re: Signing RPMs
On Tue, Nov 10, 2009 at 11:24:50PM -0800, Jitesh Shah wrote: >So, I picked up the sign_unsigned.py script from releng. I replaced the keys >in there with our keys, tweaked some minor stuff here and there and managed to >get it running. >I use it as >"./sign_unsigned.py --level " >and it runs alright. I can see that the signatures are cached under the >sigcache directory (but NOT embedded in the rpms themselves, which makes sense >since the rpm can probably be a part of different tags and might be signed >differently within each tag) > >So, I thought, well, mash would be the one which'll embed the keys in the >rpms. So, I set strict_keys to True.. added my key to the keys list in my >.mash file. mash has no problems with the rpms and it can verify the >signatures alright. But, it still doesn't embed the signatures in the rpm (is >it supposed to?). So, the created repository still has all rpms unsigned. > >What am I missing here? where to the rpms get signed actually? The sign_unsigned script should eventually do a koji API call to do 'write-signed-rpm' on the packages you are signing. That will assemble signed RPMs in koji itself, which mash will download and used. Fedora Rel-Eng doesn't use sign_unsigned anymore because we have a signing server setup now. However, it should still work. josh -- Fedora-buildsys-list mailing list Fedora-buildsys-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
Signing RPMs
So, I picked up the sign_unsigned.py script from releng. I replaced the keys in there with our keys, tweaked some minor stuff here and there and managed to get it running. I use it as "./sign_unsigned.py --level " and it runs alright. I can see that the signatures are cached under the sigcache directory (but NOT embedded in the rpms themselves, which makes sense since the rpm can probably be a part of different tags and might be signed differently within each tag) So, I thought, well, mash would be the one which'll embed the keys in the rpms. So, I set strict_keys to True.. added my key to the keys list in my .mash file. mash has no problems with the rpms and it can verify the signatures alright. But, it still doesn't embed the signatures in the rpm (is it supposed to?). So, the created repository still has all rpms unsigned. What am I missing here? where to the rpms get signed actually? Regards, Jitesh -- Fedora-buildsys-list mailing list Fedora-buildsys-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
RE: Koji and Signing RPMS
> To sign an rpm from koji, you should make a copy of the file, sign it > with the appropriate rpm command, and import the signature. Fedora > rel-eng has a script to help automate this. Note that you should not > simply sign the file directly under /mnt/koji, as this causes an > inconsistency between the filesystem and the database (hence the copy > step). > > https://fedorahosted.org/rel-eng/browser/scripts/sign_unsigned.py How do I use this sign_unsigned.py script? -- Fedora-buildsys-list mailing list Fedora-buildsys-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
Re: Koji and Signing RPMS
On Wed, 2009-08-19 at 12:02 -0400, Mike McLean wrote: > On 08/19/2009 05:08 AM, Greg Trahair wrote: > > I'm using Koji in combination with Mash to create rpms, but at the > > moment I'm not signing them and I need to start that now. I'm finding > > it quite hard to find any way that the koji/mash combination can do this > > without me having to create my own mechanism. > > Koji does not have an internal signing mechanism. It tracks signatures > and can store differently signed copies of the same rpm efficiently, but > it does not create signatures. > > If you import a signed rpm, koji will import the signature. You can > import signatures for an rpm later by using the import-sig subcommand. > > The basic tool for signing rpms is rpm itself. > http://docs.fedoraproject.org/drafts/rpm-guide-en/ch11s04.html > > To sign an rpm from koji, you should make a copy of the file, sign it > with the appropriate rpm command, and import the signature. Fedora > rel-eng has a script to help automate this. Note that you should not > simply sign the file directly under /mnt/koji, as this causes an > inconsistency between the filesystem and the database (hence the copy step). > > https://fedorahosted.org/rel-eng/browser/scripts/sign_unsigned.py A recent project was started to create a secure signing server for doing these types of operations: https://fedorahosted.org/sigul/ https://fedorahosted.org/rel-eng/browser/scripts/sigulsign_unsigned.py has been written to use the sigul setup. -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating signature.asc Description: This is a digitally signed message part -- Fedora-buildsys-list mailing list Fedora-buildsys-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
Re: Koji and Signing RPMS
On 08/19/2009 05:08 AM, Greg Trahair wrote: I'm using Koji in combination with Mash to create rpms, but at the moment I'm not signing them and I need to start that now. I'm finding it quite hard to find any way that the koji/mash combination can do this without me having to create my own mechanism. Koji does not have an internal signing mechanism. It tracks signatures and can store differently signed copies of the same rpm efficiently, but it does not create signatures. If you import a signed rpm, koji will import the signature. You can import signatures for an rpm later by using the import-sig subcommand. The basic tool for signing rpms is rpm itself. http://docs.fedoraproject.org/drafts/rpm-guide-en/ch11s04.html To sign an rpm from koji, you should make a copy of the file, sign it with the appropriate rpm command, and import the signature. Fedora rel-eng has a script to help automate this. Note that you should not simply sign the file directly under /mnt/koji, as this causes an inconsistency between the filesystem and the database (hence the copy step). https://fedorahosted.org/rel-eng/browser/scripts/sign_unsigned.py -- Fedora-buildsys-list mailing list Fedora-buildsys-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
Koji and Signing RPMS
Hi All, I'm using Koji in combination with Mash to create rpms, but at the moment I'm not signing them and I need to start that now. I'm finding it quite hard to find any way that the koji/mash combination can do this without me having to create my own mechanism. Is there anyone that can provide a procedure on how this can be achieved? [...@kojihub] ~ $ rpm -q koji mash koji-1.3.1-1.el5.1 mash-0.2.10-3.el5 Thanks in advance, Greg Trahair -- Fedora-buildsys-list mailing list Fedora-buildsys-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
