[lsb-discuss] Generate yum repositories for Red Hat/Fedora and SUSE

Jeff Licquia jeff at licquia.org
Wed Jun 11 10:57:19 PDT 2008

Till Kamppeter wrote:
> The keys for LSB are in ftp://ftp.freestandards.org/pub/lsb/keys-for-rpm/?


> Why so many keys? Can one not simply have one key for all RPM and DEB 
> packages on the whole OpenPrinting package repository?

No idea; the key layout predates me.

I don't see why the scheme you described can't work.  There is a 
security advantage to splitting the keys; you limit the scope of key 
compromises *IF* you take steps to segregate the private keys from each 
other.  Of course, if you just stick all the keys in one private 
keyring, you lose nearly all the benefit, and maintaining segregated 
keys is a pain.

> Are there such Debian packages for the LSB? Where do I find them and 
> where do I find their source packages?

Nope; we haven't gotten that sophisticated yet.

Here's "aptitude search keyring" on my system, pruned a bit:

i   debian-archive-keyring          - GnuPG archive keys of the Debian 
p   debian-backports-keyring        - GnuPG archive key of the 
backports.org rep
p   debian-edu-archive-keyring      - GnuPG archive keys of the Debian 
Edu archi
p   debian-keyring                  - GnuPG (and obsolete PGP) keys of 
Debian De
p   debian-multimedia-keyring       - GnuPG archive key of the 
p   emdebian-archive-keyring        - GnuPG archive keys for the 
emdebian reposi

> Can I define the macros in the /etc/rpm/macros or ~/.rpmmacros on the 
> server? Or do they already need to be defined when I build the packages 
> before I upload them to the server?

~/.rpmmacros works.  I use --define on the command line for mine.  And 
no, they don't have to be defined until you actually sign the packages.

> Single Debian (source) packages then seem also to be signed to dput them 
> onto a distro's build server. Am I correct?

Yes, sorry.  I wasn't clear.  Signed *source* packages are supported, 
and strongly encouraged; you can't get a package into Debian without one 
(and Ubuntu is the same, if I remember correctly).  Signed *binary* 
packages are the thing that no one uses.

> As I sign everything by signing the master files, do I still need to 
> sign all the individual RPM files?

In general, yes.  If you don't, users can get scary/annoying warnings.

It is redundant, which is why package signing never caught on much in 

> How do I do automated signing? Do I have to generate a GPG key without 
> password, so that the signing process does not prompt for a password? 
> Where on the server do I place the secret keys in the server's file 
> system so that not only me but also other admins (and also a system user 
> who is owning the cron jobs) can sign the packages and repositories? 
> Probably I will need to create a group in /etc/group for all the admins 
> and make the secret keys group-readable for this group.

I usually generate a special key for automated signatures, with some 
note in the key ID that the key is used for automated sigs.  Since the 
private key has no pass phrase, you want to let users know how much they 
should trust the key.

The group idea should work.  You could also make signing a separate job, 
and run it under your own UID.

There's a "gpg-agent" as well, which works like "ssh-agent" but for GPG. 
  I've been wanting to make gpg-agent support possible for LSB work, but 
haven't yet.

More information about the lsb-discuss mailing list