Cdot sigul sop

From CDOT Wiki
Jump to: navigation, search


CDOT Sigul Signing SOP

The following documents the process to be taken in order to correctly sign packages for Fedora-ARM. Please be sure to follow these steps to the letter, if you have any complications direct your questions to aeboccia on IRC.

Creating A Key

If a new key is to be created for the signing process the following step must be taken to do so in compliance with primary arch key generation SOP.

Create a new key

Create the key using a strong passphrase when prompted

$ sigul new-key --key-admin aeboccia --name-real Fedora-ARM \
        --name-comment 14 \
        --name-email fedora@fedoraproject.org fedora-14-arm

Wait a while for entropy. This can take several minutes.

Grant key access to user

Grant key access to any users who will be using it to sign packages

$ sigul grant-key-access fedora-14-arm aeboccia

Once the key has been created you can continue on to prep for signing.

Signing prep

For signing, the script sigulsign_unsigned is used. In order to use the new key with the script it's ID must be added.

Obtain the ID

To obtain the ID issue the following on Ireland:

$ sigul get-public-key > keyblock
$ gpg keyblock

From that output on the PUB line copy the Code after the / usually this code starts with a letter for example B207AABC

Modify sigulsign_unsigned.py

The next step is to add it to the sigulsign_unsigned script:

$ vi sigulsign_unsigned

Under the KEYS section add your new key and name to the line following the previous entries.

KEYS = { 'fedora-14-arm': {'id': 'b207aabc', 'v3': True}, <-- Your Entry
        'fedora-13-sparc': {'id': '5bf71b5e', 'v3': True},
        'fedora-12': {'id': '57bbccba', 'v3': True},
        'fedora-13': {'id': 'e8e40fde', 'v3': True},
        'fedora-11': {'id': 'd22e77f2', 'v3': True},
        'fedora-10': {'id': '4ebfc273', 'v3': False},
        'fedora-10-testing': {'id': '0b86274e', 'v3': False},
        'epel-6': {'id': '0608b895', 'v3': True}}

Close and Save the script.

Signing

Signing is rather straight forward, be sure to do so in a screen so you can freely leave and come back to check on the progress as it can take much time.

$ screen -t SigulSigning
$ ./sigulsign_unsigned.py -v -v --write-all --inherit --arch=arm --tag=dist-f14 --password=<keypassphrase> fedora-14-arm

The tag option is set to the tag within koji under which all the packages to be signed currently reside.