[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Package Signing/GPG Key Management Questions



On Wednesday 09 August 2006 18:52, Michael Schwendt wrote:
> > How does the Extras package signing process differ from Base/Updates?
>
> Only somebody who knows the Core signing-process can answer that.

Core works like this.

We have a database that holds a collection of packages.  It knows where these 
packages live on the file system.  When it comes to release time, I run a 
script that checks for a specific gpg sig on every package in the collection.  
If the signature isn't there, rpm sign it (prompting me for the passphrase).  
Once every package is signed with the right key, then I spin a tree for 
release.

Updates work somewhat like Extras.  A developer builds a package for an 
update, uses a web tool to request the package be released as an update 
(filling in things like why the update exists, what bugs it might fix, 
whether its for -testing or final updates, etc..  I get alerted that there is 
a pending update and I use a tool to move the package to the correct package 
collection, sign the package, toss it in a staging area for updates, and 
syncs out to the outside world, and sends email the developer created.

VERY few people know the passphrase for the fedora-testing and fedora-final 
key.

-- 
Jesse Keating
Release Engineer: Fedora

Attachment: pgpWNgP2qrI8J.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]