[lsb-discuss] Generate yum repositories for Red Hat/Fedora and SUSE

Till Kamppeter till.kamppeter at gmail.com
Wed Jun 11 06:43:31 PDT 2008

Jeff Licquia wrote:
> Till Kamppeter wrote:
>> I am not familiar with the signing techniques on package repository 
>> servers. Here I would very much appreciate if someone could tell here 
>> how to sign the packages and/or index files so that distro tools do 
>> both the initial installation of a driver and also do automatic 
>> updates. Tell also where to place the public keys so that distros can 
>> download and ship them.
> Shipping keys is easy, no matter what package system:
> gpg --export --armor <key-id>

The keys for LSB are in ftp://ftp.freestandards.org/pub/lsb/keys-for-rpm/?

Why so many keys? Can one not simply have one key for all RPM and DEB 
packages on the whole OpenPrinting package repository?

> That should output a block of stuff that starts with:
> Just put that file somewhere, and tell people how to download it.  It 
> can also be helpful to upload your key to the public key servers.  Best 
> practice for apt on Debian-based systems is to create a Debian package 
> that does the work of installing the key.

Are there such Debian packages for the LSB? Where do I find them and 
where do I find their source packages?

> Signing RPMs is a matter of:
> rpm --resign <pkg>
> You have to set RPM macros to tell RPM which key to use, etc.  The man 
> page for rpm has all the details.

Can I define the macros in the /etc/rpm/macros or ~/.rpmmacros on the 
server? Or do they already need to be defined when I build the packages 
before I upload them to the server?

> There is a way to sign Debian packages, but no one uses it. Debian-based 
> distros rely on apt repository signing instead.

Single Debian (source) packages then seem also to be signed to dput them 
onto a distro's build server. Am I correct?

> Both apt and yum have you sign a master index file.  This file then 
> contains checksums for all the other files in the repository, so signing 
> a single file signs the entire repository.
> For yum, that file is "repodata/repodata.xml".  Here's a command line to 
> sign that:
> gpg -sab -u <key-id> -o repodata/repomd.xml.asc repodata/repomd.xml
> For apt, the file is called "Release".  If you look at a sources.list 
> line, it looks like this:
> deb <site> <reponame> <section> [<section> ...]
> Using this scheme, the Release file should be at this path:
> <site>/dists/<reponame>/Release
> You sign that file the same way you sign repomd.xml for yum, except that 
> the output file should be called "Release.gpg".

As I sign everything by signing the master files, do I still need to 
sign all the individual RPM files?

> If this is confusing, you can see how the LSB does this by looking at 
> the "bundling" project in the LSB bzr repositories.  This project should 
> have a "repo" subdirectory that does all this in an automated fashion.

How do I do automated signing? Do I have to generate a GPG key without 
password, so that the signing process does not prompt for a password? 
Where on the server do I place the secret keys in the server's file 
system so that not only me but also other admins (and also a system user 
who is owning the cron jobs) can sign the packages and repositories? 
Probably I will need to create a group in /etc/group for all the admins 
and make the secret keys group-readable for this group.


More information about the lsb-discuss mailing list