[lsb-discuss] Generate yum repositories for Red Hat/Fedora and SUSE
jeff at licquia.org
Wed Jun 11 10:57:19 PDT 2008
Till Kamppeter wrote:
> The keys for LSB are in ftp://ftp.freestandards.org/pub/lsb/keys-for-rpm/?
> Why so many keys? Can one not simply have one key for all RPM and DEB
> packages on the whole OpenPrinting package repository?
No idea; the key layout predates me.
I don't see why the scheme you described can't work. There is a
security advantage to splitting the keys; you limit the scope of key
compromises *IF* you take steps to segregate the private keys from each
other. Of course, if you just stick all the keys in one private
keyring, you lose nearly all the benefit, and maintaining segregated
keys is a pain.
> Are there such Debian packages for the LSB? Where do I find them and
> where do I find their source packages?
Nope; we haven't gotten that sophisticated yet.
Here's "aptitude search keyring" on my system, pruned a bit:
i debian-archive-keyring - GnuPG archive keys of the Debian
p debian-backports-keyring - GnuPG archive key of the
p debian-edu-archive-keyring - GnuPG archive keys of the Debian
p debian-keyring - GnuPG (and obsolete PGP) keys of
p debian-multimedia-keyring - GnuPG archive key of the
p emdebian-archive-keyring - GnuPG archive keys for the
> Can I define the macros in the /etc/rpm/macros or ~/.rpmmacros on the
> server? Or do they already need to be defined when I build the packages
> before I upload them to the server?
~/.rpmmacros works. I use --define on the command line for mine. And
no, they don't have to be defined until you actually sign the packages.
> Single Debian (source) packages then seem also to be signed to dput them
> onto a distro's build server. Am I correct?
Yes, sorry. I wasn't clear. Signed *source* packages are supported,
and strongly encouraged; you can't get a package into Debian without one
(and Ubuntu is the same, if I remember correctly). Signed *binary*
packages are the thing that no one uses.
> As I sign everything by signing the master files, do I still need to
> sign all the individual RPM files?
In general, yes. If you don't, users can get scary/annoying warnings.
It is redundant, which is why package signing never caught on much in
> How do I do automated signing? Do I have to generate a GPG key without
> password, so that the signing process does not prompt for a password?
> Where on the server do I place the secret keys in the server's file
> system so that not only me but also other admins (and also a system user
> who is owning the cron jobs) can sign the packages and repositories?
> Probably I will need to create a group in /etc/group for all the admins
> and make the secret keys group-readable for this group.
I usually generate a special key for automated signatures, with some
note in the key ID that the key is used for automated sigs. Since the
private key has no pass phrase, you want to let users know how much they
should trust the key.
The group idea should work. You could also make signing a separate job,
and run it under your own UID.
There's a "gpg-agent" as well, which works like "ssh-agent" but for GPG.
I've been wanting to make gpg-agent support possible for LSB work, but
More information about the lsb-discuss