Koji and Signing RPMS
Mike McLean
mikem at redhat.com
Wed Aug 19 16:02:31 UTC 2009
On 08/19/2009 05:08 AM, Greg Trahair wrote:
> I'm using Koji in combination with Mash to create rpms, but at the
> moment I'm not signing them and I need to start that now. I'm finding
> it quite hard to find any way that the koji/mash combination can do this
> without me having to create my own mechanism.
Koji does not have an internal signing mechanism. It tracks signatures
and can store differently signed copies of the same rpm efficiently, but
it does not create signatures.
If you import a signed rpm, koji will import the signature. You can
import signatures for an rpm later by using the import-sig subcommand.
The basic tool for signing rpms is rpm itself.
http://docs.fedoraproject.org/drafts/rpm-guide-en/ch11s04.html
To sign an rpm from koji, you should make a copy of the file, sign it
with the appropriate rpm command, and import the signature. Fedora
rel-eng has a script to help automate this. Note that you should not
simply sign the file directly under /mnt/koji, as this causes an
inconsistency between the filesystem and the database (hence the copy step).
https://fedorahosted.org/rel-eng/browser/scripts/sign_unsigned.py
More information about the Fedora-buildsys-list
mailing list