[lsb-discuss] Generate yum repositories for Red Hat/Fedora and SUSE
jeff at licquia.org
Tue Jun 10 18:51:24 PDT 2008
Till Kamppeter wrote:
> I am not familiar with the signing techniques on package repository
> servers. Here I would very much appreciate if someone could tell here
> how to sign the packages and/or index files so that distro tools do both
> the initial installation of a driver and also do automatic updates. Tell
> also where to place the public keys so that distros can download and
> ship them.
Shipping keys is easy, no matter what package system:
gpg --export --armor <key-id>
That should output a block of stuff that starts with:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Just put that file somewhere, and tell people how to download it. It
can also be helpful to upload your key to the public key servers. Best
practice for apt on Debian-based systems is to create a Debian package
that does the work of installing the key.
Signing RPMs is a matter of:
rpm --resign <pkg>
You have to set RPM macros to tell RPM which key to use, etc. The man
page for rpm has all the details.
There is a way to sign Debian packages, but no one uses it.
Debian-based distros rely on apt repository signing instead.
Both apt and yum have you sign a master index file. This file then
contains checksums for all the other files in the repository, so signing
a single file signs the entire repository.
For yum, that file is "repodata/repodata.xml". Here's a command line to
gpg -sab -u <key-id> -o repodata/repomd.xml.asc repodata/repomd.xml
For apt, the file is called "Release". If you look at a sources.list
line, it looks like this:
deb <site> <reponame> <section> [<section> ...]
Using this scheme, the Release file should be at this path:
You sign that file the same way you sign repomd.xml for yum, except that
the output file should be called "Release.gpg".
If this is confusing, you can see how the LSB does this by looking at
the "bundling" project in the LSB bzr repositories. This project should
have a "repo" subdirectory that does all this in an automated fashion.
More information about the lsb-discuss