Cdot sigul sop
CDOT Sigul Signing SOP
The following documents the process to be taken in order to correctly sign packages for Fedora-ARM. Please be sure to follow these steps to the letter, if you have any complications direct your questions to aeboccia on IRC.
Creating A Key
If a new key is to be created for the signing process the following step must be taken to do so in compliance with primary arch key generation SOP.
From ireland issue the following commands:
For example if we wanted to create the Fedora 13 signing key, we would do the following:
- Create the key using a strong passphrase when prompted
$ sigul new-key --key-admin aeboccia --name-real Fedora-ARM \ --name-comment 14 \ --name-email fedora@fedoraproject.org fedora-14-arm
- Wait a while for entropy. This can take several minutes.
- Grant key access to any users who will be using it to sign packages
$ sigul grant-key-access fedora-14-arm aeboccia
One the key has been created you can continue on to prep for signing.
Signing prep
For signing, the script sigulsign_unsigned is used. In order to use the new key with the script it's ID must be added.
To obtain the ID issue the following on Ireland
$ sigul get-public-key > keyblock $ gpg keyblock
From that output on the PUB line copy the Code after the / usually this code starts with a letter for example B207AABC
The next step is to add it to the sigulsign_unsigned script.
$ vi sigulsign_unsigned Under the KEYS section add your new key and name to the line following the previous entries. KEYS = { 'fedora-14-arm': {'id': 'b207aabc', 'v3': True}, <-- Your Entry 'fedora-13-sparc': {'id': '5bf71b5e', 'v3': True}, 'fedora-12': {'id': '57bbccba', 'v3': True}, 'fedora-13': {'id': 'e8e40fde', 'v3': True}, 'fedora-11': {'id': 'd22e77f2', 'v3': True}, 'fedora-10': {'id': '4ebfc273', 'v3': False}, 'fedora-10-testing': {'id': '0b86274e', 'v3': False}, 'epel-6': {'id': '0608b895', 'v3': True}}
Close and Save the Script
Signing
Signing is rather straight forward, be sure to do so in a screen so you can freely leave and come back to check on the progress as it can take much time.
$ screen -t SigulSigning $ ./sigulsign_unsigned.py -v -v --write-all --inherit --arch=arm --tag=dist-f14 --password=<keypassphrase> fedora-14-arm * The tag option is set to the tag within koji under which all the packages to be signed currently reside.