On Tue, Nov 10, 2009 at 11:24:50PM -0800, Jitesh Shah wrote: >So, I picked up the sign_unsigned.py script from releng. I replaced the keys >in there with our keys, tweaked some minor stuff here and there and managed to >get it running. >I use it as >"./sign_unsigned.py --level <level> <tag-name>" >and it runs alright. I can see that the signatures are cached under the >sigcache directory (but NOT embedded in the rpms themselves, which makes sense >since the rpm can probably be a part of different tags and might be signed >differently within each tag) > >So, I thought, well, mash would be the one which'll embed the keys in the >rpms. So, I set strict_keys to True.. added my key to the keys list in my >.mash file. mash has no problems with the rpms and it can verify the >signatures alright. But, it still doesn't embed the signatures in the rpm (is >it supposed to?). So, the created repository still has all rpms unsigned. > >What am I missing here? where to the rpms get signed actually?
The sign_unsigned script should eventually do a koji API call to do 'write-signed-rpm' on the packages you are signing. That will assemble signed RPMs in koji itself, which mash will download and used. Fedora Rel-Eng doesn't use sign_unsigned anymore because we have a signing server setup now. However, it should still work. josh -- Fedora-buildsys-list mailing list Fedora-buildsys-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
