Archive for February, 2014

GPG signing RPMs with Sigul Signing Server & Koji integration

When you are building your own RPMs and distributing them either on your own infrastructure or to the public, you should consider signing them with a GPG key. That way the client machines that install your RPMs can verify the integrity and authenticity of what they are installing.

GPG signing can either be done manually, which is fairly easy but unhandy or you can use a way more automated and solid way, using the Sigul Signing Server by Fedora.

Sigul keeps the private keys used for signing on its server and they arent accesible by the clients who want to sign RPMs. All requests by Sigul Clients to Sigul Server are sent over the Sigul Bridge which relays them. This allows signing RPMs from various machines, without having access to actual keys being used. So you never communicate directly with the Server which can and should be isolated from the rest of the world and only allow connections from/to the Bridge in the Firwall.

Read more

Getting RPM built by Koji into YUM-able repo

By following my article series about Fedoras RPM build system Koji, you should by now have a fully working setup that even builds RPMs from Git.
However, by design, the built RPMs cant be directly used as a yum repo. They need to be transformed first. Therefore the tool “mash” exists.
Luckily setting up mash is easy compared to Koji itself.

yum install mash
# create a storage path, this can also be a network mount
mkdir -p /mnt/custom-repo/{mash,rpm}
ln -s /mnt/custom-repo/mash/centos6-release/ /mnt/custom-repo/rpm/centos6

Read more

Building RPM from Git with Koji

If you have followed my other articles about Koji, you should have a fully working setup now. However its not very handy to only build local SRPM.
Fortunately Koji can build RPMs by spec-files and Makefiles which it gets from a Git repo or other SCM. Read on to learn how you get that going.

In /etc/kojid/kojid.conf*:no

;using any other command instead of "make sources". Example showing "fedpkg sources"

Read more