Here's an example of a script for yum copy & sign; this could go into
the bigtop svn tree so we can play with it to make sure it works
-------- Original Message --------
Subject: Re: An ASF yum repository?
Date: Sun, 26 Feb 2012 16:36:36 +0200
From: Graham Leggett <[email protected]>
To: Henk P. Penning <[email protected]>
CC: Steve Loughran <[email protected]>, Tony Stevenson
<[email protected]>, Apache Infrastructure
<[email protected]>
On 25 Feb 2012, at 8:59 PM, Henk P. Penning wrote:
sounds good ; better even than we have for the 'usual' stuff.
One problem : the KEYS file isn't authoritive in any way ;
it is just useless bag of keys ; it is better to start over.
I think we need
1 (per PMC) a file that indicates which (keys of) Release Managers
can sign stuff in what (sub) trees ;
this file must be signed by someone in the PMC ; see (2).
2 an ASF wide file indicating (for each project) which keys can sign
the "per PMC" files in (1) ;
this file must be signed by a "well-know key" (keymaster-key).
With a dedicated keymaster (team), this would work, I think.
Time for a pilot ?
Perhaps a signing script like this that runs on a checkout of dist:
[minfrin@257233-app1 x86_64]$ cat ~/scan-incoming.sh
#!/bin/bash
INCOMING=${1}
# ASF keyid
KEYID=12345678
DEST=../release
RPMCHECK="/usr/bin/rpmsign -v -K"
RPMSIGN="echo ~/rpm-sign.expect"
SVN="echo /usr/bin/svn"
#
# Find every RPM file in the /sign directory in svn.
# For every correctly signed RPM, that isn't signed with the ASF KEY:
# - Move the file to the /release directory; then
# - Sign it with the ASF key; then
# - Commit the changes.
#
cd ${INCOMING}
find . -type f -name \*.rpm | while read f
do
${RPMCHECK} "${f}" | grep -v "V3 DSA signature: OK, key ID ${KEYID}"
| grep "V3 DSA signature: OK, key ID" > /dev/null
if [ $? == 0 ]; then
echo "Moving ${f} to ${DEST}/${f}"
${SVN} move ${f} ${DEST}/${f}
echo "Signing ${f}"
${RPMSIGN} ${DEST}/${f}
echo "Committing signed artifacts"
${SVN} commit -m "Signing ${f} with key ${KEYID}" ${f} ${DEST}/${f}
fi
done
Turns out rpmsign is a bit brain dead, and refuses to work
non-interactively, and an expect script seems to be the accepted workaround:
[minfrin@257233-app1 x86_64]$ cat ~/rpm-sign.expect
#!/usr/bin/expect -f
#
proc usage {} {
send_user "Usage: rpm-sign.expect rpmfile\n\n"
exit
}
if {[llength $argv]!=1} usage
set rpmfile [lrange $argv 0 0]
spawn rpm --addsign -D "_signature gpg" -D "_gpg_name Testing Key
(Testing key for RPMs) <[email protected]>" $rpmfile
expect -exact "Enter pass phrase: "
send -- "passphrase\r"
expect eof
This would just need a location to run, where both rpm and yum are
available.
Regards,
Graham
--
