[fedora-virt] GPG signatures for Rawhide virt repo
Ján ONDREJ (SAL)
ondrejj at salstar.sk
Fri Jun 5 11:21:40 UTC 2009
Hello,
Mark, can you please add signatures to vire-preview packages? Installation
of totally unsigned packages on my machine is not a good idea, because I
don't know, if they was changed by an attacker on internet. Installation
works with root privileges, so everything is possible.
To add signatures, you can be inspired by my scripts. You can run "rpm
--sign" command before createrepo on all packages safely. My script uses
libskippass.so to do not require password for singning key.
You need to create .rpmmacros, where signing key is defined:
%_signature gpg
%_gpg_path /home/YOURLOGIN/.gnupg
%_gpg_name YOUR_KEY_NAME
My libskippass.c, if you need it:
----------------------------
// compile with: gcc -shared -o libskippass.so skippass.c
#include <stdio.h>
char *getpass(const char *prompt) {
char *p = "";
printf("%s <<< SKIPPED! >>>\n", prompt);
return p;
}
----------------------------
And finally signing command:
LD_PRELOAD=/lib/libskippass.so rpm --addsign /path/to/your/packages/*/*.rpm \
2>&1 | grep -v -e 'was already signed by key' -e ':$'
Output of this command is filtered to do not show already signed packages.
Now you only need to create your new GPG key, distribute public key and
start to sign with private key.
I think signed packages with potentially insecure key is much better, like
totally unsigned, but you also can use a key for your signing key.
SAL
More information about the Fedora-virt
mailing list