Cdot sigul sop
Contents
CDOT Sigul Signing SOP
The following documents the process to be taken in order to correctly sign packages for Fedora-ARM. Please be sure to follow these steps to the letter, if you have any complications direct your questions to aeboccia on IRC.
Creating A Key
If a new key is to be created for the signing process the following step must be taken to do so in compliance with primary arch key generation SOP.
Create a new key
Create the key using a strong passphrase when prompted
$ sigul new-key --key-admin aeboccia --name-real Fedora-ARM \ --name-comment 14 \ --name-email fedora@fedoraproject.org fedora-14-arm
Wait a while for entropy. This can take several minutes.
Grant key access to user
Grant key access to any users who will be using it to sign packages
$ sigul grant-key-access fedora-14-arm aeboccia
Once the key has been created you can continue on to prep for signing.
Signing prep
For signing, the script sigulsign_unsigned is used. In order to use the new key with the script it's ID must be added.
Obtain key ID
To obtain the ID issue the following on Ireland:
$ sigul get-public-key > keyblock $ gpg keyblock
From that output on the PUB line copy the Code after the / usually this code starts with a letter for example B207AABC
Modify sigulsign_unsigned.py
The next step is to add it to the sigulsign_unsigned script:
$ vi sigulsign_unsigned Under the KEYS section add your new key and name to the line following the previous entries. KEYS = { 'fedora-14-arm': {'id': 'b207aabc', 'v3': True}, <-- Your Entry 'fedora-13-sparc': {'id': '5bf71b5e', 'v3': True}, 'fedora-12': {'id': '57bbccba', 'v3': True}, 'fedora-13': {'id': 'e8e40fde', 'v3': True}, 'fedora-11': {'id': 'd22e77f2', 'v3': True}, 'fedora-10': {'id': '4ebfc273', 'v3': False}, 'fedora-10-testing': {'id': '0b86274e', 'v3': False}, 'epel-6': {'id': '0608b895', 'v3': True}}
Close and Save the script.
Signing
Signing is rather straight forward, be sure to do so in a screen so you can freely leave and come back to check on the progress as it can take much time.
$ screen -t SigulSigning $ ./sigulsign_unsigned.py -v -v --write-all --inherit --arch=arm --tag=dist-f14 --password=<keypassphrase> fedora-14-arm
The tag option is set to the tag within koji under which all the packages to be signed currently reside.