Difference between revisions of "Cdot sigul sop"
Line 6: | Line 6: | ||
== Creating A Key == | == Creating A Key == | ||
+ | |||
If a new key is to be created for the signing process the following step must be taken to do so in compliance with primary arch key generation SOP. | If a new key is to be created for the signing process the following step must be taken to do so in compliance with primary arch key generation SOP. | ||
− | + | === Create a new key === | |
− | + | Create the key using a strong passphrase when prompted | |
− | |||
− | |||
<pre> | <pre> | ||
$ sigul new-key --key-admin aeboccia --name-real Fedora-ARM \ | $ sigul new-key --key-admin aeboccia --name-real Fedora-ARM \ | ||
--name-comment 14 \ | --name-comment 14 \ | ||
--name-email fedora@fedoraproject.org fedora-14-arm | --name-email fedora@fedoraproject.org fedora-14-arm | ||
− | </pre | + | </pre> |
− | + | Wait a while for entropy. This can take several minutes. | |
− | + | ||
+ | === Grant key access to user === | ||
+ | |||
+ | Grant key access to any users who will be using it to sign packages | ||
<pre> | <pre> | ||
$ sigul grant-key-access fedora-14-arm aeboccia | $ sigul grant-key-access fedora-14-arm aeboccia | ||
</pre> | </pre> | ||
− | + | Once the key has been created you can continue on to prep for signing. | |
== Signing prep == | == Signing prep == | ||
Line 30: | Line 32: | ||
For signing, the script sigulsign_unsigned is used. In order to use the new key with the script it's ID must be added. | For signing, the script sigulsign_unsigned is used. In order to use the new key with the script it's ID must be added. | ||
− | To obtain the ID issue the following on Ireland | + | === Obtain the ID === |
+ | |||
+ | To obtain the ID issue the following on Ireland: | ||
<pre> | <pre> | ||
$ sigul get-public-key > keyblock | $ sigul get-public-key > keyblock | ||
Line 37: | Line 41: | ||
From that output on the PUB line copy the Code after the / usually this code starts with a letter for example B207AABC <br /> | From that output on the PUB line copy the Code after the / usually this code starts with a letter for example B207AABC <br /> | ||
− | The next step is to add it to the sigulsign_unsigned script | + | === Modify sigulsign_unsigned.py === |
+ | |||
+ | The next step is to add it to the sigulsign_unsigned script: | ||
<pre> | <pre> | ||
Line 54: | Line 60: | ||
</pre> | </pre> | ||
− | Close and Save the | + | Close and Save the script. |
== Signing == | == Signing == | ||
Line 61: | Line 67: | ||
<pre> | <pre> | ||
− | |||
$ screen -t SigulSigning | $ screen -t SigulSigning | ||
$ ./sigulsign_unsigned.py -v -v --write-all --inherit --arch=arm --tag=dist-f14 --password=<keypassphrase> fedora-14-arm | $ ./sigulsign_unsigned.py -v -v --write-all --inherit --arch=arm --tag=dist-f14 --password=<keypassphrase> fedora-14-arm | ||
+ | </pre> | ||
− | + | The tag option is set to the tag within koji under which all the packages to be signed currently reside. | |
− | |||
− |
Revision as of 12:54, 19 May 2015
Contents
CDOT Sigul Signing SOP
The following documents the process to be taken in order to correctly sign packages for Fedora-ARM. Please be sure to follow these steps to the letter, if you have any complications direct your questions to aeboccia on IRC.
Creating A Key
If a new key is to be created for the signing process the following step must be taken to do so in compliance with primary arch key generation SOP.
Create a new key
Create the key using a strong passphrase when prompted
$ sigul new-key --key-admin aeboccia --name-real Fedora-ARM \ --name-comment 14 \ --name-email fedora@fedoraproject.org fedora-14-arm
Wait a while for entropy. This can take several minutes.
Grant key access to user
Grant key access to any users who will be using it to sign packages
$ sigul grant-key-access fedora-14-arm aeboccia
Once the key has been created you can continue on to prep for signing.
Signing prep
For signing, the script sigulsign_unsigned is used. In order to use the new key with the script it's ID must be added.
Obtain the ID
To obtain the ID issue the following on Ireland:
$ sigul get-public-key > keyblock $ gpg keyblock
From that output on the PUB line copy the Code after the / usually this code starts with a letter for example B207AABC
Modify sigulsign_unsigned.py
The next step is to add it to the sigulsign_unsigned script:
$ vi sigulsign_unsigned Under the KEYS section add your new key and name to the line following the previous entries. KEYS = { 'fedora-14-arm': {'id': 'b207aabc', 'v3': True}, <-- Your Entry 'fedora-13-sparc': {'id': '5bf71b5e', 'v3': True}, 'fedora-12': {'id': '57bbccba', 'v3': True}, 'fedora-13': {'id': 'e8e40fde', 'v3': True}, 'fedora-11': {'id': 'd22e77f2', 'v3': True}, 'fedora-10': {'id': '4ebfc273', 'v3': False}, 'fedora-10-testing': {'id': '0b86274e', 'v3': False}, 'epel-6': {'id': '0608b895', 'v3': True}}
Close and Save the script.
Signing
Signing is rather straight forward, be sure to do so in a screen so you can freely leave and come back to check on the progress as it can take much time.
$ screen -t SigulSigning $ ./sigulsign_unsigned.py -v -v --write-all --inherit --arch=arm --tag=dist-f14 --password=<keypassphrase> fedora-14-arm
The tag option is set to the tag within koji under which all the packages to be signed currently reside.