FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 12-09-2010, 09:28 PM
Patrick Lists
 
Default Howto batch sign RPM packages?

Hi,

I need to sign a bunch of RPM packages that have interdepencies:
build #1, sign #1, install #1, build #2, sign #2, install #2 etc.

Based on the info in bz436812 [1] I have created the key (RSA sign only,
4096bit, no sub keys) and put this in .rpmmacros:

%_signature gpg
%_gpg_path ~/.gnupg
%_gpg_name <KEY_ID>
%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs
--digest-algo=sha1 --batch --no-verbose --no-armor
--passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}"
-sbo %{__signature_filename} %{__plaintext_filename}

Now I don't want to type in a rather long and difficult passphrase every
time one of dozens of packages need to be signed and I also don't want
to temporarily remove the passphrase so am looking for a better solution
that works unattended after giving the passphrase once.
I looked at gpgwrap (part of pgp-tools in Fedora) but from the docs I
could not figure out how to make that work.

Anyone know howto set this up?

Thanks!
Patrick

[1] https://bugzilla.redhat.com/show_bug.cgi?id=436812
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-09-2010, 09:56 PM
JohnS
 
Default Howto batch sign RPM packages?

On Thu, 2010-12-09 at 23:28 +0100, Patrick Lists wrote:

What's so hard about:

#!/bin/expect

It will take care of all that for you in a jiffie... Yea you need a
passphrase of which expect can handle for you.


John

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Fri Dec 10 00:30:02 2010
Return-path: <aur-general-bounces@archlinux.org>
Envelope-to: tom@linux-archive.org
Delivery-date: Thu, 09 Dec 2010 23:56:06 +0200
Received: from gerolde.archlinux.org ([66.211.214.132]:35506 helo=archlinux.org)
by s2.java-tips.org with esmtp (Exim 4.69)
(envelope-from <aur-general-bounces@archlinux.org>)
id 1PQoT7-0004KT-UW
for tom@linux-archive.org; Thu, 09 Dec 2010 23:56:05 +0200
Received: from gudrun.archlinux.org (gudrun.archlinux.org [66.211.214.131])
by archlinux.org (Postfix) with ESMTP id 5FF3D900D2;
Thu, 9 Dec 2010 17:57:15 -0500 (EST)
Received: from archlinux.org (gerolde.archlinux.org [66.211.214.132])
by gudrun.archlinux.org (Postfix) with ESMTP id 4120478099
for <aur-general@archlinux.org>; Thu, 9 Dec 2010 17:57:18 -0500 (EST)
Received-SPF: none (ei-grad.ru: No applicable sender policy available)
receiver=gerolde.archlinux.org; identity=mailfrom;
envelope-from="andrew@ei-grad.ru"; helo=mail-fx0-f45.google.com;
client-ip=209.85.161.45
Received: from mail-fx0-f45.google.com (mail-fx0-f45.google.com
[209.85.161.45]) by archlinux.org (Postfix) with ESMTP id 872A3900D0
for <aur-general@archlinux.org>; Thu, 9 Dec 2010 17:57:12 -0500 (EST)
Received: by fxm12 with SMTP id 12so3051685fxm.32
for <aur-general@archlinux.org>; Thu, 09 Dec 2010 14:57:24 -0800 (PST)
MIME-Version: 1.0
Received: by 10.223.79.4 with SMTP id n4mr19038fak.69.1291935444359; Thu, 09
Dec 2010 14:57:24 -0800 (PST)
Received: by 10.223.83.197 with HTTP; Thu, 9 Dec 2010 14:57:24 -0800 (PST)
In-Reply-To: <AANLkTinFn6R3pXzpbcXLcXkQcdy+i5L13d3vNAbpXpP7@mai l.gmail.com>
References: <AANLkTimvcjNuWzZeP8TeC1sCHS+gS88E60WnCLHEtdr0@mai l.gmail.com>
<AANLkTinFn6R3pXzpbcXLcXkQcdy+i5L13d3vNAbpXpP7@mai l.gmail.com>
Date: Fri, 10 Dec 2010 03:57:24 +0500
Message-ID: <AANLkTi=YsWx-MCTsN-kTY8HC57i1mcifs3XbvX21Y6kE@mail.gmail.com>
From: =?UTF-8?B?0JDQvdC00YDQtdC5INCT0YDQuNCz0L7RgNGM0LXQsg==?=
<andrew@ei-grad.ru>
To: "Discussion about the Arch User Repository (AUR)"
<aur-general@archlinux.org>
Content-Type: text/plain; charset=UTF-8
Cc: mkanis@gmx.de
Subject: Re: [aur-general] delete packages
X-BeenThere: aur-general@archlinux.org
X-Mailman-Version: 2.1.11
Precedence: list
Reply-To: "Discussion about the Arch User Repository (AUR)"
<aur-general@archlinux.org>
List-Id: "Discussion about the Arch User Repository (AUR)"
<aur-general.archlinux.org>
List-Unsubscribe: <http://mailman.archlinux.org/mailman/options/aur-general>,
<mailto:aur-general-request@archlinux.org?subject=unsubscribe>
List-Archive: <http://mailman.archlinux.org/pipermail/aur-general>
List-Post: <mailto:aur-general@archlinux.org>
List-Help: <mailto:aur-general-request@archlinux.org?subject=help>
List-Subscribe: <http://mailman.archlinux.org/mailman/listinfo/aur-general>,
<mailto:aur-general-request@archlinux.org?subject=subscribe>
Sender: aur-general-bounces@archlinux.org
Errors-To: aur-general-bounces@archlinux.org

Hi.

I was maintainer of the pyclutter package.

Can't build python-clutter, marked it as outdated. Also, there are
pyclutter-gst and pyclutter-gtk packages in AUR, it would be nice to
keep the overall naming scheme of python bindings for clutter. I have
nothing against if someone else will maintain this package, but it
would be nice to at least rename and update it then.

2010/12/9 Evangelos Foutras <foutrelis@gmail.com>:
> On Wed, Dec 8, 2010 at 11:02 PM, Joao Cordeiro <jlcordeiro@gmail.com> wrote:
>> libreoffice-bin [1] - dupe of package in extra.
>>
>> pyclutter-svn [2] is deprecated since pyclutter now uses git (and there is a
>> git package in aur). Also, pyclutter [3] and python-clutter [4] are dupes.
>> First has better naming but the second was submitted first so I don't know
>> which one should be deleted - up to you.
>
> Deleted the first two and pyclutter.
>
 
Old 12-10-2010, 12:00 AM
Patrick Lists
 
Default Howto batch sign RPM packages?

On 12/09/2010 11:56 PM, JohnS wrote:
>
> On Thu, 2010-12-09 at 23:28 +0100, Patrick Lists wrote:
>
> What's so hard about:
>
> #!/bin/expect
>
> It will take care of all that for you in a jiffie... Yea you need a
> passphrase of which expect can handle for you.

Thanks John. Never thought about expect.

Regards,
Patrick
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-10-2010, 09:05 AM
John Doe
 
Default Howto batch sign RPM packages?

From: Patrick Lists <centos-list@puzzled.xs4all.nl>

> I need to sign a bunch of RPM packages that have interdepencies:
> build #1, sign #1, install #1, build #2, sign #2, install #2 etc.
> Now I don't want to type in a rather long and difficult passphrase every
> time one of dozens of packages need to be signed and I also don't want
> to temporarily remove the passphrase so am looking for a better solution
> that works unattended after giving the passphrase once.
> I looked at gpgwrap (part of pgp-tools in Fedora) but from the docs I
> could not figure out how to make that work.
> Anyone know howto set this up?

What about: '--passphrase-file file' ?

JD



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-10-2010, 10:22 AM
Patrick Lists
 
Default Howto batch sign RPM packages?

On 12/10/2010 11:05 AM, John Doe wrote:
> From: Patrick Lists <centos-list@puzzled.xs4all.nl>
>
>> I need to sign a bunch of RPM packages that have interdepencies:
>> build #1, sign #1, install #1, build #2, sign #2, install #2 etc.
>> Now I don't want to type in a rather long and difficult passphrase every
>> time one of dozens of packages need to be signed and I also don't want
>> to temporarily remove the passphrase so am looking for a better solution
>> that works unattended after giving the passphrase once.
>> I looked at gpgwrap (part of pgp-tools in Fedora) but from the docs I
>> could not figure out how to make that work.
>> Anyone know howto set this up?
>
> What about: '--passphrase-file file' ?

Excellent suggestion which obviously I missed in the gpg manpage.
Probably because I was focused on --passphrase-fd n in combination with
gpgwrap.

Thanks!
Patrick
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-11-2010, 10:22 AM
Sergey Podushkin
 
Default Howto batch sign RPM packages?

Patrick Lists пишет:
> Hi,
>
> I need to sign a bunch of RPM packages that have interdepencies:
> build #1, sign #1, install #1, build #2, sign #2, install #2 etc.
>
> Based on the info in bz436812 [1] I have created the key (RSA sign only,
> 4096bit, no sub keys) and put this in .rpmmacros:
>
> %_signature gpg
> %_gpg_path ~/.gnupg
> %_gpg_name<KEY_ID>
> %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs
> --digest-algo=sha1 --batch --no-verbose --no-armor
> --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}"
> -sbo %{__signature_filename} %{__plaintext_filename}
>
> Now I don't want to type in a rather long and difficult passphrase every
> time one of dozens of packages need to be signed and I also don't want
> to temporarily remove the passphrase so am looking for a better solution
> that works unattended after giving the passphrase once.
> I looked at gpgwrap (part of pgp-tools in Fedora) but from the docs I
> could not figure out how to make that work.
>
> Anyone know howto set this up?
>
After building a bunch of packages it can be easily signed by this way:

rpm --resign *.rpm

if you need to sign packages from other account:

su -c "rpm --resign *.rpm" username

So it requires to type password only once.
It may be worth to move packages to some directory to avoid resigning of
another packages, or you can change command and use names of packages
instead of wildmarked name.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-11-2010, 07:43 PM
Gordon Messmer
 
Default Howto batch sign RPM packages?

On 12/10/2010 02:05 AM, John Doe wrote:
> What about: '--passphrase-file file' ?

If you're going to put the key and its passphrase file on the same host,
you might as well not encrypt the key at all. You're better off
encrypting the filesystem that contains the key.

If you decide to use a passphrase file anyway, at least put it on a
tmpfs so that you have to recreate it every time you reboot.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-12-2010, 10:37 PM
Patrick Lists
 
Default Howto batch sign RPM packages?

On 12/11/2010 12:22 PM, Sergey Podushkin wrote:
> After building a bunch of packages it can be easily signed by this way:
>
> rpm --resign *.rpm
>
> if you need to sign packages from other account:
>
> su -c "rpm --resign *.rpm" username
>
> So it requires to type password only once.
> It may be worth to move packages to some directory to avoid resigning of
> another packages, or you can change command and use names of packages
> instead of wildmarked name.

Thanks Sergey. This is how I now have it setup and it works fine.

Regards,
Patrick
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 04:32 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org