Signing packages

Timotheus Pokorra edited this page Apr 5, 2016 · 6 revisions

Signing with Public/Private Key GPG

You need to create a pair of public and private keys with GnuPG.

# generate the keys
gpg --gen-key
# export the public key
gpg --armor --output publicLBS.gpg --export "Timotheus Pokorra (LBS auto signing) <release@solidcharity.com>"
# export the private key
gpg --armor --output privateLBSkey --export-secret-keys "Timotheus Pokorra (LBS auto signing) <release@solidcharity.com>"
# list the keys so that you know the key id (in my situation the key is is 4E1220C3)
gpg --list-keys
# publish the public key to a central key server
gpg --keyserver pgp.mit.edu --send-key 4E1220C3

In your project in the /etc/lightbuildserver/config.yml, you should insert a line similar to this:

PublicKey: http://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0x4796B710919684AC

This will add instructions to your package so that the users will know where to download your public key.

Signing RPMs

Create a file /etc/lightbuildserver/container/<username>/<projectname>/privateLBSkey. It should be owned by user uwsgi. It is a private key generated with gnupg. The public key should be published on the wellknown key servers.

You also need a file /etc/lightbuildserver/container/<username>/<projectname>/rpmmacros, also owned by user uwsgi

%_signature gpg
%_gpg_path /root/.gnupg
%_gpg_name YourName (LBS auto signing) <release@example.org>
%_gpgbin /usr/bin/gpg

%__gpg_sign_cmd %{__gpg} \
    gpg --force-v3-sigs --digest-algo=sha1 --batch --no-verbose --no-armor \
    --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" \
    -sbo %{__signature_filename} %{__plaintext_filename}

For the implementation details, see https://github.com/SolidCharity/LightBuildServer/blob/master/lib/BuildHelperCentos.py#L187

Signing Debian packages

Create a file /etc/lightbuildserver/container/<username>/<projectname>/privateLBSkey. It should be owned by user uwsgi. It is a private key generated with gnupg. The public key should be published on the wellknown key servers.

You also need a file /etc/lightbuildserver/container/<username>/<projectname>/distributions, also owned by user uwsgi

Origin: Packages Useful for LBS
Label: Packages Useful for LBS
Codename: trusty
Architectures: amd64
Components: main
Description: Apt repository for LBS packages
SignWith: 919684AC

For the implementation details, see https://github.com/SolidCharity/LightBuildServer/blob/master/lib/BuildHelperDebian.py#L205

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.