[lsb-discuss] Generate yum repositories for Red Hat/Fedora and SUSE

Jeff Licquia jeff at licquia.org
Tue Jun 10 18:51:24 PDT 2008


Till Kamppeter wrote:
> I am not familiar with the signing techniques on package repository 
> servers. Here I would very much appreciate if someone could tell here 
> how to sign the packages and/or index files so that distro tools do both 
> the initial installation of a driver and also do automatic updates. Tell 
> also where to place the public keys so that distros can download and 
> ship them.

Shipping keys is easy, no matter what package system:

gpg --export --armor <key-id>

That should output a block of stuff that starts with:

-----BEGIN PGP PUBLIC KEY BLOCK-----

Just put that file somewhere, and tell people how to download it.  It 
can also be helpful to upload your key to the public key servers.  Best 
practice for apt on Debian-based systems is to create a Debian package 
that does the work of installing the key.

Signing RPMs is a matter of:

rpm --resign <pkg>

You have to set RPM macros to tell RPM which key to use, etc.  The man 
page for rpm has all the details.

There is a way to sign Debian packages, but no one uses it. 
Debian-based distros rely on apt repository signing instead.

Both apt and yum have you sign a master index file.  This file then 
contains checksums for all the other files in the repository, so signing 
a single file signs the entire repository.

For yum, that file is "repodata/repodata.xml".  Here's a command line to 
sign that:

gpg -sab -u <key-id> -o repodata/repomd.xml.asc repodata/repomd.xml

For apt, the file is called "Release".  If you look at a sources.list 
line, it looks like this:

deb <site> <reponame> <section> [<section> ...]

Using this scheme, the Release file should be at this path:

<site>/dists/<reponame>/Release

You sign that file the same way you sign repomd.xml for yum, except that 
the output file should be called "Release.gpg".

If this is confusing, you can see how the LSB does this by looking at 
the "bundling" project in the LSB bzr repositories.  This project should 
have a "repo" subdirectory that does all this in an automated fashion.




More information about the lsb-discuss mailing list