Cdot sigul sop

From CDOT Wiki
Revision as of 15:18, 27 January 2012 by Jacwang (talk | contribs)
Jump to: navigation, search

CDOT Sigul Signing SOP

The following documents the process to be taken in order to correctly sign packages for Fedora-ARM. Please be sure to follow these steps to the letter, if you have any complications direct your questions to aeboccia on IRC.

Creating A Key

If a new key is to be created for the signing process the following step must be taken to do so in compliance with primary arch key generation SOP.

From ireland issue the following commands:

For example if we wanted to create the Fedora 13 signing key, we would do the following:

  1. Create the key using a strong passphrase when prompted
    $ sigul new-key --key-admin aeboccia --name-real Fedora-ARM \
            --name-comment 14 \
            --name-email fedora-14-arm
  2. Wait a while for entropy. This can take several minutes.
  3. Grant key access to any users who will be using it to sign packages
    $ sigul grant-key-access fedora-14-arm aeboccia

    One the key has been created you can continue on to prep for signing.

    Signing prep

    For signing, the script sigulsign_unsigned is used. In order to use the new key with the script it's ID must be added.

    To obtain the ID issue the following on Ireland

    $ sigul get-public-key > keyblock
    $ gpg keyblock

    From that output on the PUB line copy the Code after the / usually this code starts with a letter for example B207AABC

    The next step is to add it to the sigulsign_unsigned script.

    $ vi sigulsign_unsigned
    Under the KEYS section add your new key and name to the line following the previous entries.
    KEYS = { 'fedora-14-arm': {'id': 'b207aabc', 'v3': True}, <-- Your Entry
            'fedora-13-sparc': {'id': '5bf71b5e', 'v3': True},
            'fedora-12': {'id': '57bbccba', 'v3': True},
            'fedora-13': {'id': 'e8e40fde', 'v3': True},
            'fedora-11': {'id': 'd22e77f2', 'v3': True},
            'fedora-10': {'id': '4ebfc273', 'v3': False},
            'fedora-10-testing': {'id': '0b86274e', 'v3': False},
            'epel-6': {'id': '0608b895', 'v3': True}}

    Close and Save the Script


    Signing is rather straight forward, be sure to do so in a screen so you can freely leave and come back to check on the progress as it can take much time.

    $ screen -t SigulSigning
    $ ./ -v -v --write-all --inherit --arch=arm --tag=dist-f14 --password=<keypassphrase> fedora-14-arm
    * The tag option is set to the tag within koji under which all the packages to be signed currently reside.