Difference between revisions of "Cdot sigul sop"

From CDOT Wiki
Jump to: navigation, search
 
(One intermediate revision by the same user not shown)
Line 6: Line 6:
  
 
== Creating A Key ==
 
== Creating A Key ==
 +
 
If a new key is to be created for the signing process the following step must be taken to do so in compliance with primary arch key generation SOP.
 
If a new key is to be created for the signing process the following step must be taken to do so in compliance with primary arch key generation SOP.
  
From ireland issue the following commands:
+
=== Create a new key ===
  
For example if we wanted to create the Fedora 13 signing key, we would do the following:
+
Create the key using a strong passphrase when prompted
<ol>
 
<li>Create the key using a strong passphrase when prompted
 
 
<pre>
 
<pre>
 
$ sigul new-key --key-admin aeboccia --name-real Fedora-ARM \
 
$ sigul new-key --key-admin aeboccia --name-real Fedora-ARM \
 
         --name-comment 14 \
 
         --name-comment 14 \
 
         --name-email fedora@fedoraproject.org fedora-14-arm
 
         --name-email fedora@fedoraproject.org fedora-14-arm
</pre></li>
+
</pre>
<li>Wait a while for entropy.  This can take several minutes.</li>
+
Wait a while for entropy.  This can take several minutes.
<li>Grant key access to any users who will be using it to sign packages
+
 
 +
=== Grant key access to user ===
 +
 
 +
Grant key access to any users who will be using it to sign packages
 
<pre>
 
<pre>
 
$ sigul grant-key-access fedora-14-arm aeboccia
 
$ sigul grant-key-access fedora-14-arm aeboccia
 
</pre>
 
</pre>
  
One the key has been created you can continue on to prep for signing.
+
Once the key has been created you can continue on to prep for signing.
  
 
== Signing prep ==
 
== Signing prep ==
Line 30: Line 32:
 
For signing, the script sigulsign_unsigned is used. In order to use the new key with the script it's ID must be added.
 
For signing, the script sigulsign_unsigned is used. In order to use the new key with the script it's ID must be added.
  
To obtain the ID issue the following on Ireland
+
=== Obtain key ID ===
 +
 
 +
To obtain the ID issue the following on Ireland:
 
<pre>
 
<pre>
 
$ sigul get-public-key > keyblock
 
$ sigul get-public-key > keyblock
Line 37: Line 41:
 
From that output on the PUB line copy the Code after the / usually this code starts with a letter for example B207AABC <br />
 
From that output on the PUB line copy the Code after the / usually this code starts with a letter for example B207AABC <br />
  
The next step is to add it to the sigulsign_unsigned script.
+
=== Modify sigulsign_unsigned.py ===
 +
 
 +
The next step is to add it to the sigulsign_unsigned script:
  
 
<pre>
 
<pre>
Line 54: Line 60:
 
</pre>
 
</pre>
  
Close and Save the Script
+
Close and Save the script.
  
 
== Signing ==
 
== Signing ==
Line 61: Line 67:
  
 
<pre>
 
<pre>
 
 
$ screen -t SigulSigning
 
$ screen -t SigulSigning
 
$ ./sigulsign_unsigned.py -v -v --write-all --inherit --arch=arm --tag=dist-f14 --password=<keypassphrase> fedora-14-arm
 
$ ./sigulsign_unsigned.py -v -v --write-all --inherit --arch=arm --tag=dist-f14 --password=<keypassphrase> fedora-14-arm
 +
</pre>
  
* The tag option is set to the tag within koji under which all the packages to be signed currently reside.
+
The tag option is set to the tag within koji under which all the packages to be signed currently reside.
 
 
</pre>
 

Latest revision as of 12:00, 19 May 2015


CDOT Sigul Signing SOP

The following documents the process to be taken in order to correctly sign packages for Fedora-ARM. Please be sure to follow these steps to the letter, if you have any complications direct your questions to aeboccia on IRC.

Creating A Key

If a new key is to be created for the signing process the following step must be taken to do so in compliance with primary arch key generation SOP.

Create a new key

Create the key using a strong passphrase when prompted

$ sigul new-key --key-admin aeboccia --name-real Fedora-ARM \
        --name-comment 14 \
        --name-email fedora@fedoraproject.org fedora-14-arm

Wait a while for entropy. This can take several minutes.

Grant key access to user

Grant key access to any users who will be using it to sign packages

$ sigul grant-key-access fedora-14-arm aeboccia

Once the key has been created you can continue on to prep for signing.

Signing prep

For signing, the script sigulsign_unsigned is used. In order to use the new key with the script it's ID must be added.

Obtain key ID

To obtain the ID issue the following on Ireland:

$ sigul get-public-key > keyblock
$ gpg keyblock

From that output on the PUB line copy the Code after the / usually this code starts with a letter for example B207AABC

Modify sigulsign_unsigned.py

The next step is to add it to the sigulsign_unsigned script:

$ vi sigulsign_unsigned

Under the KEYS section add your new key and name to the line following the previous entries.

KEYS = { 'fedora-14-arm': {'id': 'b207aabc', 'v3': True}, <-- Your Entry
        'fedora-13-sparc': {'id': '5bf71b5e', 'v3': True},
        'fedora-12': {'id': '57bbccba', 'v3': True},
        'fedora-13': {'id': 'e8e40fde', 'v3': True},
        'fedora-11': {'id': 'd22e77f2', 'v3': True},
        'fedora-10': {'id': '4ebfc273', 'v3': False},
        'fedora-10-testing': {'id': '0b86274e', 'v3': False},
        'epel-6': {'id': '0608b895', 'v3': True}}

Close and Save the script.

Signing

Signing is rather straight forward, be sure to do so in a screen so you can freely leave and come back to check on the progress as it can take much time.

$ screen -t SigulSigning
$ ./sigulsign_unsigned.py -v -v --write-all --inherit --arch=arm --tag=dist-f14 --password=<keypassphrase> fedora-14-arm

The tag option is set to the tag within koji under which all the packages to be signed currently reside.