Package Signing/GPG Key Management Questions
Jesse Keating
jkeating at redhat.com
Thu Aug 10 03:16:10 UTC 2006
On Wednesday 09 August 2006 18:52, Michael Schwendt wrote:
> > How does the Extras package signing process differ from Base/Updates?
>
> Only somebody who knows the Core signing-process can answer that.
Core works like this.
We have a database that holds a collection of packages. It knows where these
packages live on the file system. When it comes to release time, I run a
script that checks for a specific gpg sig on every package in the collection.
If the signature isn't there, rpm sign it (prompting me for the passphrase).
Once every package is signed with the right key, then I spin a tree for
release.
Updates work somewhat like Extras. A developer builds a package for an
update, uses a web tool to request the package be released as an update
(filling in things like why the update exists, what bugs it might fix,
whether its for -testing or final updates, etc.. I get alerted that there is
a pending update and I use a tool to move the package to the correct package
collection, sign the package, toss it in a staging area for updates, and
syncs out to the outside world, and sends email the developer created.
VERY few people know the passphrase for the fedora-testing and fedora-final
key.
--
Jesse Keating
Release Engineer: Fedora
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-extras-list/attachments/20060809/f045328b/attachment.sig>
More information about the fedora-extras-list
mailing list