On Dec 14, 2010, at 2:50 PM, Josh Boyer wrote: > On Tue, Dec 14, 2010 at 2:49 AM, Oliver Falk <[email protected]> wrote: >> Hi Allen! >> >> I'm not sure how the Fedora guys do it... There's a lot of black >> (scripting) magic involved I guess. :-) >> >> And yes, the script is already using the the larger key size, but that's >> not hard to "fix"... >> >> Come on guys, show us your dirty little tricks! :-P > > There are no dirty tricks. It essentially goes: > > 1) RPMs built in koji > 2) sign_unsigned.py is run against various koji tags. Either > dist-f1x-candidates or dist-f1x-updates-testing, or whichever need to > be signed. NOTE: rawhide is not signed > 3) mash is run against the tag after the RPMs have all been signed. > 4) Bodhi does some symlink switching after all the mashes have > completed successfully and the new repos are pushed to the mirrors. > > That's it. No tricks, nothing super efficient. > > At some point, there was discussion on having koji do the signing > automatically after a build completes. I think that is still a long > term plan, but it requires a project to use a single key for all > packages. > > josh
Hi Josh, all, i'm reading this thread and i think that i've missed some point. What is the purpose of signing an RPM if you sign it on an online machine? I haven't seen the sign_unsigned.py source yet but i guess what should be there is a mechanism that should download the unsigned RPMs, then a manual operation of RPM sign (possibly on an offline or at least access restricted node), and then another script to import the signed RPMs (or just the signatures). Am i seeing this from a wrong perspective? does Fedora really sign the RPMs online? I guess this gets even worse if the sign operation is done more efficiently, automatically after each koji build. I hope i don't sound offensive, but these were my thoughts as i want/need to implement something like this in our local koji installation and i hoped that you were using something more sophisticated. Regards, Christos
smime.p7s
Description: S/MIME cryptographic signature
-- buildsys mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/buildsys
