FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Build System

 
 
LinkBack Thread Tools
 
Old 12-13-2010, 06:59 PM
Allen Hewes
 
Default Signing built RPMs or how to create signed RPMs.

Hi,

I have my koji setup building RPMs from my subversion repo. I have mash sucking the RPMs out of koji and making yum repos. Right now, the RPMs in my yum repo aren't signed.

I have read some old posts from Jesse w.r.t adding signatures into/with koji. I found the commands for koji cli, but I am not clear as to what to do or how to do it.

My end goal is have the RPMs signed with my key when a client machine runs yum install/update from my repo. What I use to do before I started with koji was rpm --resign *.rpm (enter pass phrase) and then do createrepo -d.

I know I can build & sign stuff with rpmbuild --sign but where(how) would someone change this inside mock running inside kojid?

So my question is where does this happen with koji? Or does it happen outside of koji?

Thanks,

/allen
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 12-13-2010, 09:16 PM
Oliver Falk
 
Default Signing built RPMs or how to create signed RPMs.

Hi Allen!

You might want to look at the following post:

http://www.mail-archive.com/fedora-buildsys-list@redhat.com/msg02187.html

-of

Am 13.12.2010 20:59, schrieb Allen Hewes:
> Hi,
>
> I have my koji setup building RPMs from my subversion repo. I have mash sucking the RPMs out of koji and making yum repos. Right now, the RPMs in my yum repo aren't signed.
>
> I have read some old posts from Jesse w.r.t adding signatures into/with koji. I found the commands for koji cli, but I am not clear as to what to do or how to do it.
>
> My end goal is have the RPMs signed with my key when a client machine runs yum install/update from my repo. What I use to do before I started with koji was rpm --resign *.rpm (enter pass phrase) and then do createrepo -d.
>
> I know I can build& sign stuff with rpmbuild --sign but where(how) would someone change this inside mock running inside kojid?
>
> So my question is where does this happen with koji? Or does it happen outside of koji?
>
> Thanks,
>
> /allen
> --
> buildsys mailing list
> buildsys@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/buildsys

--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 12-14-2010, 04:54 AM
Allen Hewes
 
Default Signing built RPMs or how to create signed RPMs.

>
> Hi Allen!
>
> You might want to look at the following post:
>
> http://www.mail-archive.com/fedora-buildsys-list@redhat.com/ms
g02187.html
>
> -of

Hi Oliver,

Thanks for link. I had not come across this thread.

It would appear that currently there isn't any method to sign RPMs within koji or mash. You can import prebuilt RPMs with signatures into Koji. I don't know much about importing RPMs into koji because I haven't had a need.

Do the Fedora guys use the sign_unsigned.py script for the official Fedora yum repos? If so, how do they use mash? Because it looks to me that if you use this script, it does one of the steps mash does; fetching RPMs out of koji tags.

I would have guessed that the Fedora guys generate their yum repos via mash from koji tags and then sign RPMs.

I'd have to modify this script to suit my needs, but I think I could do it. It also looks like it relies on a newer version of RPM, the rpm command for key size == 4096 is one spot I noticed.

Also, I have to enter a passphrase when I sign my RPMs but this script doesn't have any provisions for that. Is there a way to make rpm --resign not prompt for a passphrase?

Has there been any talk about adding RPM signing to mash? It seems like that'd be a good place for it.

Thanks,

/allen
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 12-14-2010, 06:43 AM
Pierre Guillet
 
Default Signing built RPMs or how to create signed RPMs.

Hi,

I'am using Koji + sign_unsigned.py + mash to build RPM on CentOS5

I have modified sign_unsigned.py to manage the passphrase. If option is not used, sign_unsigned.py gives an empty passphrase to 'rpm --resign' command.


Add the Python expect module in import section (pexpect RPM must installed) :

*import getpass
+import pexpect

Add the --passwd option in __init__() from SignUnsigned class:

+******* self.parser.add_option("--passwd", action="">

Replace these lines in do_signing()

-*************** # loop in case password is mistyped
-*************** while os.system(cmd):
-******************* # sleep briefly (give user a chance to ctrl-C)
-******************* time.sleep(2)

+*************** # Use expect to give the passphrase
+*************** # LANG=C to have english question 'pass phrase'
+*************** os.environ['LC_ALL'] = 'C'
+*************** child = pexpect.spawn(cmd)

+*************** # Wait for 'pass phrase'
+*************** child.expect('phrase:')
+*************** if not self.options.passwd:
+******************* child.sendline('
')
+*************** else:

+******************* child.sendline("%s" % self.options.passwd)
+*************** child.expect(pexpect.EOF)

Regards,
Pierre

2010/12/14 Allen Hewes <allen@decisiv.net>



>

> Hi Allen!

>

> You might want to look at the following post:

>

> http://www.mail-archive.com/fedora-buildsys-list@redhat.com/ms

g02187.html

>

> -of



Hi Oliver,



Thanks for link. I had not come across this thread.



It would appear that currently there isn't any method to sign RPMs within koji or mash. You can import prebuilt RPMs with signatures into Koji. I don't know much about importing RPMs into koji because I haven't had a need.




Do the Fedora guys use the sign_unsigned.py script for the official Fedora yum repos? If so, how do they use mash? Because it looks to me that if you use this script, it does one of the steps mash does; fetching RPMs out of koji tags.




I would have guessed that the Fedora guys generate their yum repos via mash from koji tags and then sign RPMs.



I'd have to modify this script to suit my needs, but I think I could do it. It also looks like it relies on a newer version of RPM, the rpm command for key size == 4096 is one spot I noticed.



Also, I have to enter a passphrase when I sign my RPMs but this script doesn't have any provisions for that. Is there a way to make rpm --resign not prompt for a passphrase?



Has there been any talk about adding RPM signing to mash? It seems like that'd be a good place for it.



Thanks,



/allen

--

buildsys mailing list

buildsys@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/buildsys



--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 12-14-2010, 06:46 AM
Oliver Falk
 
Default Signing built RPMs or how to create signed RPMs.

Hi!

Thanks for answering this... I used to have a script doing something
similar :-)

I guess this will help Allen.

-of

Am 14.12.2010 08:43, schrieb Pierre Guillet:
> Hi,
>
> I'am using Koji + sign_unsigned.py + mash to build RPM on CentOS5
>
> I have modified sign_unsigned.py to manage the passphrase. If option is
> not used, sign_unsigned.py gives an empty passphrase to 'rpm --resign'
> command.
>
> Add the Python expect module in import section (pexpect RPM must
> installed) :
>
> import getpass
> +import pexpect
>
> Add the --passwd option in __init__() from SignUnsigned class:
>
> + self.parser.add_option("--passwd", action="store_true")
>
> Replace these lines in do_signing()
>
> - # loop in case password is mistyped
> - while os.system(cmd):
> - # sleep briefly (give user a chance to ctrl-C)
> - time.sleep(2)
> + # Use expect to give the passphrase
> + # LANG=C to have english question 'pass phrase'
> + os.environ['LC_ALL'] = 'C'
> + child = pexpect.spawn(cmd)
> + # Wait for 'pass phrase'
> + child.expect('phrase:')
> + if not self.options.passwd:
> + child.sendline('
')
> + else:
> + child.sendline("%s" % self.options.passwd)
> + child.expect(pexpect.EOF)
>
> Regards,
> Pierre
>
> 2010/12/14 Allen Hewes <allen@decisiv.net <mailto:allen@decisiv.net>>
>
>
> >
> > Hi Allen!
> >
> > You might want to look at the following post:
> >
> > http://www.mail-archive.com/fedora-buildsys-list@redhat.com/ms
> g02187.html
> <http://www.mail-archive.com/fedora-buildsys-list@redhat.com/ms%0Ag02187.html>
> >
> > -of
>
> Hi Oliver,
>
> Thanks for link. I had not come across this thread.
>
> It would appear that currently there isn't any method to sign RPMs
> within koji or mash. You can import prebuilt RPMs with signatures
> into Koji. I don't know much about importing RPMs into koji because
> I haven't had a need.
>
> Do the Fedora guys use the sign_unsigned.py script for the official
> Fedora yum repos? If so, how do they use mash? Because it looks to
> me that if you use this script, it does one of the steps mash does;
> fetching RPMs out of koji tags.
>
> I would have guessed that the Fedora guys generate their yum repos
> via mash from koji tags and then sign RPMs.
>
> I'd have to modify this script to suit my needs, but I think I could
> do it. It also looks like it relies on a newer version of RPM, the
> rpm command for key size == 4096 is one spot I noticed.
>
> Also, I have to enter a passphrase when I sign my RPMs but this
> script doesn't have any provisions for that. Is there a way to make
> rpm --resign not prompt for a passphrase?
>
> Has there been any talk about adding RPM signing to mash? It seems
> like that'd be a good place for it.
>
> Thanks,
>
> /allen
> --
> buildsys mailing list
> buildsys@lists.fedoraproject.org
> <mailto:buildsys@lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/buildsys
>
>
>
>
> --
> buildsys mailing list
> buildsys@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/buildsys

--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 12-14-2010, 06:49 AM
Oliver Falk
 
Default Signing built RPMs or how to create signed RPMs.

Hi Allen!

I'm not sure how the Fedora guys do it... There's a lot of black
(scripting) magic involved I guess. :-)

And yes, the script is already using the the larger key size, but that's
not hard to "fix"...

Come on guys, show us your dirty little tricks! :-P

Best,
Oliver

Am 14.12.2010 06:54, schrieb Allen Hewes:
>
>>
>> Hi Allen!
>>
>> You might want to look at the following post:
>>
>> http://www.mail-archive.com/fedora-buildsys-list@redhat.com/ms
> g02187.html
>>
>> -of
>
> Hi Oliver,
>
> Thanks for link. I had not come across this thread.
>
> It would appear that currently there isn't any method to sign RPMs within koji or mash. You can import prebuilt RPMs with signatures into Koji. I don't know much about importing RPMs into koji because I haven't had a need.
>
> Do the Fedora guys use the sign_unsigned.py script for the official Fedora yum repos? If so, how do they use mash? Because it looks to me that if you use this script, it does one of the steps mash does; fetching RPMs out of koji tags.
>
> I would have guessed that the Fedora guys generate their yum repos via mash from koji tags and then sign RPMs.
>
> I'd have to modify this script to suit my needs, but I think I could do it. It also looks like it relies on a newer version of RPM, the rpm command for key size == 4096 is one spot I noticed.
>
> Also, I have to enter a passphrase when I sign my RPMs but this script doesn't have any provisions for that. Is there a way to make rpm --resign not prompt for a passphrase?
>
> Has there been any talk about adding RPM signing to mash? It seems like that'd be a good place for it.
>
> Thanks,
>
> /allen
> --
> buildsys mailing list
> buildsys@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/buildsys

--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 12-14-2010, 07:45 AM
"Vijay N. Majagaonkar"
 
Default Signing built RPMs or how to create signed RPMs.

Hi All,
I m new to this system forgive me if i am doing something wrong here !
We can add sing key to build-tag at the time of creating tag..


[vijay@koji ~]$ koji add-tag --helpUsage: koji add-tag [options] name(Specify the --help global option for a list of other help options)
Options:**-h, --help * * * show this help message and exit

**--parent=PARENT *Specify parent**--arches=ARCHES *Specify arches**--sigkey=SIGKEY *Specify signing key







"Human Knowledge Belongs To World"

~thanks
Vijay.



On Tue, Dec 14, 2010 at 1:19 PM, Oliver Falk <oliver@linux-kernel.at> wrote:


Hi Allen!



I'm not sure how the Fedora guys do it... There's a lot of black

(scripting) magic involved I guess. :-)



And yes, the script is already using the the larger key size, but that's

not hard to "fix"...



Come on guys, show us your dirty little tricks! :-P



Best,

*Oliver



Am 14.12.2010 06:54, schrieb Allen Hewes:

>

>>

>> Hi Allen!

>>

>> You might want to look at the following post:

>>

>> http://www.mail-archive.com/fedora-buildsys-list@redhat.com/ms

> g02187.html

>>

>> -of

>

> Hi Oliver,

>

> Thanks for link. I had not come across this thread.

>

> It would appear that currently there isn't any method to sign RPMs within koji or mash. You can import prebuilt RPMs with signatures into Koji. I don't know much about importing RPMs into koji because I haven't had a need.



>

> Do the Fedora guys use the sign_unsigned.py script for the official Fedora yum repos? If so, how do they use mash? Because it looks to me that if you use this script, it does one of the steps mash does; fetching RPMs out of koji tags.



>

> I would have guessed that the Fedora guys generate their yum repos via mash from koji tags and then sign RPMs.

>

> I'd have to modify this script to suit my needs, but I think I could do it. It also looks like it relies on a newer version of RPM, the rpm command for key size == 4096 is one spot I noticed.

>

> Also, I have to enter a passphrase when I sign my RPMs but this script doesn't have any provisions for that. Is there a way to make rpm --resign not prompt for a passphrase?

>

> Has there been any talk about adding RPM signing to mash? It seems like that'd be a good place for it.

>

> Thanks,

>

> /allen

> --

> buildsys mailing list

> buildsys@lists.fedoraproject.org

> https://admin.fedoraproject.org/mailman/listinfo/buildsys



--

buildsys mailing list

buildsys@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/buildsys



--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 12-14-2010, 11:50 AM
Josh Boyer
 
Default Signing built RPMs or how to create signed RPMs.

On Tue, Dec 14, 2010 at 2:49 AM, Oliver Falk <oliver@linux-kernel.at> wrote:
> Hi Allen!
>
> I'm not sure how the Fedora guys do it... There's a lot of black
> (scripting) magic involved I guess. :-)
>
> And yes, the script is already using the the larger key size, but that's
> not hard to "fix"...
>
> Come on guys, show us your dirty little tricks! :-P

There are no dirty tricks. It essentially goes:

1) RPMs built in koji
2) sign_unsigned.py is run against various koji tags. Either
dist-f1x-candidates or dist-f1x-updates-testing, or whichever need to
be signed. NOTE: rawhide is not signed
3) mash is run against the tag after the RPMs have all been signed.
4) Bodhi does some symlink switching after all the mashes have
completed successfully and the new repos are pushed to the mirrors.

That's it. No tricks, nothing super efficient.

At some point, there was discussion on having koji do the signing
automatically after a build completes. I think that is still a long
term plan, but it requires a project to use a single key for all
packages.

josh
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 12-14-2010, 11:58 AM
Oliver Falk
 
Default Signing built RPMs or how to create signed RPMs.

On 12/14/2010 01:50 PM, Josh Boyer wrote:
> On Tue, Dec 14, 2010 at 2:49 AM, Oliver Falk<oliver@linux-kernel.at> wrote:
>> Hi Allen!
>>
>> I'm not sure how the Fedora guys do it... There's a lot of black
>> (scripting) magic involved I guess. :-)
>>
>> And yes, the script is already using the the larger key size, but that's
>> not hard to "fix"...
>>
>> Come on guys, show us your dirty little tricks! :-P
>
> There are no dirty tricks. It essentially goes:
>
> 1) RPMs built in koji
> 2) sign_unsigned.py is run against various koji tags. Either
> dist-f1x-candidates or dist-f1x-updates-testing, or whichever need to
> be signed. NOTE: rawhide is not signed
> 3) mash is run against the tag after the RPMs have all been signed.
> 4) Bodhi does some symlink switching after all the mashes have
> completed successfully and the new repos are pushed to the mirrors.
>
> That's it. No tricks, nothing super efficient.
>
> At some point, there was discussion on having koji do the signing
> automatically after a build completes. I think that is still a long
> term plan, but it requires a project to use a single key for all
> packages.


Sorry Josh. This wasn't meant as offence! I just never saw any
documentation about this part - maybe I just didn't look hard enough. :-)

-of
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 12-14-2010, 12:03 PM
Josh Boyer
 
Default Signing built RPMs or how to create signed RPMs.

On Tue, Dec 14, 2010 at 7:58 AM, Oliver Falk <oliver@linux-kernel.at> wrote:
>> There are no dirty tricks. *It essentially goes:
>>
>> 1) RPMs built in koji
>> 2) sign_unsigned.py is run against various koji tags. *Either
>> dist-f1x-candidates or dist-f1x-updates-testing, or whichever need to
>> be signed. *NOTE: rawhide is not signed
>> 3) mash is run against the tag after the RPMs have all been signed.
>> 4) Bodhi does some symlink switching after all the mashes have
>> completed successfully and the new repos are pushed to the mirrors.
>>
>> That's it. *No tricks, nothing super efficient.
>>
>> At some point, there was discussion on having koji do the signing
>> automatically after a build completes. *I think that is still a long
>> term plan, but it requires a project to use a single key for all
>> packages.
>
>
> Sorry Josh. This wasn't meant as offence! I just never saw any
> documentation about this part - maybe I just didn't look hard enough. :-)

Oh, I wasn't offended in the slightest. If anything I was wishing we
had dirty tricks, because how it is done right now is fairly
inefficient.

And yes, there should be more documentation in this area under the
RelEng SOPs. I'll take the blame for that, as I never got around to
writing it.

josh
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 

Thread Tools




All times are GMT. The time now is 08:23 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org