The Fedora website http://fedora.redhat.com/About/security/ mentions Fedora builds are automatically signed. How is this done? rpm --addsign requires user input and is not gpg-aware http://lists.gnupg.org/pipermail/gnupg-users/2004-January/021302.html
On Tuesday 21 November 2006 21:21, Douglas Hubler wrote:
The Fedora website http://fedora.redhat.com/About/security/ mentions Fedora builds are automatically signed. How is this done? rpm --addsign requires user input and is not gpg-aware http://lists.gnupg.org/pipermail/gnupg-users/2004-January/021302.html
You can automate it by not putting a password on the gpgkey. most of the rpms are manually signed for this reason. and all of extras are manually signed. the only automated signed would be in rawhide and i think they are generally not signed at all.
Dennis Gilmore wrote:
On Tuesday 21 November 2006 21:21, Douglas Hubler wrote:
The Fedora website http://fedora.redhat.com/About/security/ mentions Fedora builds are automatically signed. How is this done? rpm --addsign requires user input and is not gpg-aware http://lists.gnupg.org/pipermail/gnupg-users/2004-January/021302.html
You can automate it by not putting a password on the gpgkey. most of the rpms are manually signed for this reason. and all of extras are manually signed. the only automated signed would be in rawhide and i think they are generally not signed at all.
iirc, even with a blank passwd, rpm's default behavior is to ask for a password anyway,
'expect' knows what to do :)
- KB
Once upon a time Wednesday 22 November 2006 6:09 am, Karanbir Singh wrote:
Dennis Gilmore wrote:
On Tuesday 21 November 2006 21:21, Douglas Hubler wrote:
The Fedora website http://fedora.redhat.com/About/security/ mentions Fedora builds are automatically signed. How is this done? rpm --addsign requires user input and is not gpg-aware http://lists.gnupg.org/pipermail/gnupg-users/2004-January/021302.html
You can automate it by not putting a password on the gpgkey. most of the rpms are manually signed for this reason. and all of extras are manually signed. the only automated signed would be in rawhide and i think they are generally not signed at all.
iirc, even with a blank passwd, rpm's default behavior is to ask for a password anyway,
'expect' knows what to do :)
ive never tried so im not 100% sure. i had assumed that if i put no password on the key i wouldnt be prompted. but i would not trust a situation like that so i wont impose that on my users. :)
Dennis
On 11/22/2006 04:34 PM, Dennis Gilmore wrote:
Once upon a time Wednesday 22 November 2006 6:09 am, Karanbir Singh wrote:
Dennis Gilmore wrote:
On Tuesday 21 November 2006 21:21, Douglas Hubler wrote:
The Fedora website http://fedora.redhat.com/About/security/ mentions Fedora builds are automatically signed. How is this done? rpm --addsign requires user input and is not gpg-aware http://lists.gnupg.org/pipermail/gnupg-users/2004-January/021302.html
You can automate it by not putting a password on the gpgkey. most of the rpms are manually signed for this reason. and all of extras are manually signed. the only automated signed would be in rawhide and i think they are generally not signed at all.
iirc, even with a blank passwd, rpm's default behavior is to ask for a password anyway,
'expect' knows what to do :)
ive never tried so im not 100% sure. i had assumed that if i put no password on the key i wouldnt be prompted. but i would not trust a situation like that so i wont impose that on my users. :)
Yes, rpm always asks... And yes, expect knows what to do: #!/usr/bin/expect set p "" set f [lindex $argv 0] spawn rpm --resign $f expect "Enter pass phrase:" send -- "$p\r" expect eof
The other way; Use perl ( http://search.cpan.org/~nanardon/RPM4-0.20/lib/RPM4.pm). RPM4 also knows how to do it...
Best, Oliver
On Tuesday 21 November 2006 22:21, Douglas Hubler wrote:
The Fedora website http://fedora.redhat.com/About/security/ mentions Fedora builds are automatically signed. How is this done? rpm --addsign requires user input and is not gpg-aware
This seems to be false information (for now).
Thanks all for your post it's helped me invalidate folklore about surpressing password prompting and allow me to automate via the helpful expect script that was posted.
I'm down to the fact I cannot get rpm signature checking to work with subkeys. I posted to rpm list http://article.gmane.org/gmane.linux.redhat.rpm.general/11244
Douglas Hubler wrote on 11/29/2006 03:51:51 PM:
Thanks all for your post it's helped me invalidate folklore about
surpressing
password prompting and allow me to automate via the helpful expect
script that
was posted.
Here, in fact I made some enhancements to the script a couple days ago. I used to code in Tcl/Expect (and Perl) in a past life, before I was introduced to Python!(; See what you can do with it.
Joe
I'm down to the fact I cannot get rpm signature checking to work with subkeys. I posted to rpm list http://article.gmane.org/gmane.linux.redhat.rpm.general/11244
-- Fedora-buildsys-list mailing list Fedora-buildsys-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
Joe Todaro <jstodaro <at> us.ibm.com> writes:
Here, in fact I made some enhancements to the script
<snip>
See what you can do with it.
Joe,
I'm using the expect script you attached to your last post, thanks for posting it!
I'm finding on larger RPMs the expect script times out after password but beforethe actual signing and without giving an error message.
So I - added a timeout error condition after password is entered. - increase timeout.
Does it look right? Seems to work for me.
Also, I cannot seem to find documentation on what --with sig_main does, can you explain?
modified extras-signer.ex http://pastebin.ca/278275
Douglas Hubler wrote on 12/13/2006 06:18:21 PM:
Joe Todaro <jstodaro <at> us.ibm.com> writes:
Here, in fact I made some enhancements to the script
<snip> > See what you can do with it.
Joe,
I'm using the expect script you attached to your last post, thanks for
posting
it!
I'm finding on larger RPMs the expect script times out after password
but
beforethe actual signing and without giving an error message.
So I
- added a timeout error condition after password is entered.
- increase timeout.
Does it look right? Seems to work for me.
Yeah. Looks fine Douglas. Good catch.
Also, I cannot seem to find documentation on what --with sig_main does, can you explain?
The basic package signing methods are described here: http://library.n0i.net/linux-unix/programming/ma-xrpm/s1-rpm-pgp-signing-pac...
And the "--with sig_main" option can be implemented via the "%_gpg_name" macro, that might look something like this: %_gpg_name %{?_with_sig_main:F333AC40}%{?_with_sig_addon:5036E41F}
modified extras-signer.ex http://pastebin.ca/278275
-- Fedora-buildsys-list mailing list Fedora-buildsys-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
buildsys@lists.fedoraproject.org
-
Dennis Gilmore -
Douglas Hubler -
Jesse Keating -
Joe Todaro -
Karanbir Singh -
Oliver Falk