[fedora-virt] GPG signatures for Rawhide virt repo

Ján ONDREJ (SAL) ondrejj at salstar.sk
Fri Jun 5 11:21:40 UTC 2009


  Mark, can you please add signatures to vire-preview packages? Installation
of totally unsigned packages on my machine is not a good idea, because I
don't know, if they was changed by an attacker on internet. Installation
works with root privileges, so everything is possible.

  To add signatures, you can be inspired by my scripts. You can run "rpm
--sign" command before createrepo on all packages safely. My script uses
libskippass.so to do not require password for singning key.

  You need to create .rpmmacros, where signing key is defined:
%_signature     gpg
%_gpg_path      /home/YOURLOGIN/.gnupg
%_gpg_name      YOUR_KEY_NAME

  My libskippass.c, if you need it:
// compile with: gcc -shared -o libskippass.so skippass.c
#include <stdio.h>

char *getpass(const char *prompt) {
  char *p = "";
  printf("%s <<< SKIPPED! >>>\n", prompt);
  return p;

  And finally signing command:
LD_PRELOAD=/lib/libskippass.so rpm --addsign /path/to/your/packages/*/*.rpm \
  2>&1 | grep -v -e 'was already signed by key' -e ':$'

Output of this command is filtered to do not show already signed packages.

  Now you only need to create your new GPG key, distribute public key and
start to sign with private key.

  I think signed packages with potentially insecure key is much better, like
totally unsigned, but you also can use a key for your signing key.


More information about the Fedora-virt mailing list