[lsb-discuss] Generate yum repositories for Red Hat/Fedora and SUSE
till.kamppeter at gmail.com
Wed Jun 11 06:43:31 PDT 2008
Jeff Licquia wrote:
> Till Kamppeter wrote:
>> I am not familiar with the signing techniques on package repository
>> servers. Here I would very much appreciate if someone could tell here
>> how to sign the packages and/or index files so that distro tools do
>> both the initial installation of a driver and also do automatic
>> updates. Tell also where to place the public keys so that distros can
>> download and ship them.
> Shipping keys is easy, no matter what package system:
> gpg --export --armor <key-id>
The keys for LSB are in ftp://ftp.freestandards.org/pub/lsb/keys-for-rpm/?
Why so many keys? Can one not simply have one key for all RPM and DEB
packages on the whole OpenPrinting package repository?
> That should output a block of stuff that starts with:
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> Just put that file somewhere, and tell people how to download it. It
> can also be helpful to upload your key to the public key servers. Best
> practice for apt on Debian-based systems is to create a Debian package
> that does the work of installing the key.
Are there such Debian packages for the LSB? Where do I find them and
where do I find their source packages?
> Signing RPMs is a matter of:
> rpm --resign <pkg>
> You have to set RPM macros to tell RPM which key to use, etc. The man
> page for rpm has all the details.
Can I define the macros in the /etc/rpm/macros or ~/.rpmmacros on the
server? Or do they already need to be defined when I build the packages
before I upload them to the server?
> There is a way to sign Debian packages, but no one uses it. Debian-based
> distros rely on apt repository signing instead.
Single Debian (source) packages then seem also to be signed to dput them
onto a distro's build server. Am I correct?
> Both apt and yum have you sign a master index file. This file then
> contains checksums for all the other files in the repository, so signing
> a single file signs the entire repository.
> For yum, that file is "repodata/repodata.xml". Here's a command line to
> sign that:
> gpg -sab -u <key-id> -o repodata/repomd.xml.asc repodata/repomd.xml
> For apt, the file is called "Release". If you look at a sources.list
> line, it looks like this:
> deb <site> <reponame> <section> [<section> ...]
> Using this scheme, the Release file should be at this path:
> You sign that file the same way you sign repomd.xml for yum, except that
> the output file should be called "Release.gpg".
As I sign everything by signing the master files, do I still need to
sign all the individual RPM files?
> If this is confusing, you can see how the LSB does this by looking at
> the "bundling" project in the LSB bzr repositories. This project should
> have a "repo" subdirectory that does all this in an automated fashion.
How do I do automated signing? Do I have to generate a GPG key without
password, so that the signing process does not prompt for a password?
Where on the server do I place the secret keys in the server's file
system so that not only me but also other admins (and also a system user
who is owning the cron jobs) can sign the packages and repositories?
Probably I will need to create a group in /etc/group for all the admins
and make the secret keys group-readable for this group.
More information about the lsb-discuss