A robosignatory driver for the CentOS Stream signing service.
Calligrabot takes care of downloading RPMs from Koji, securely signing them, and uploading the signed RPMs back to Koji.
This is deployed via ansible. The CentOS Stream deployment role and the configuration files are stored in this repo.
"calligrabot" is the name of a robosignatory.signing.helpers setuptools entry point.
The calligrabot driver is enabled by setting backend = "calligrabot"
in the [consumer_config.signing]
section of the robosignatory configuration file,
/etc/fedora-messaging/robosignatory.toml
,
along with specifying the principal
and keytab
.
For example:
... [consumer_config] [consumer_config.signing] backend = "calligrabot" user = "calligrabot" principal = "autosign/signer.redhat.com@REDHAT.COM" keytab = "/etc/krb5.signer.redhat.com.keytab" ima_key = "ima-keyname" dry_run = false # calligrabot config details are contained within this config file so # config_file needs to be self-referential config_file = "/etc/fedora-messaging/robosignatory.toml" [consumer_config.koji_instances] [consumer_config.koji_instances.primary] url = "https://kojihub.stream.rdu2.redhat.com/kojihub" weburl = "https://kojihub.stream.centos.org/koji" topurl = "http://kojihub.stream.centos.org/kojifiles" ...
Calligrabot has a command line interface, /usr/bin/calligrabot
, which is a
wrapper for Red Hat's internal rpm-sign
utility that takes care of the actual
secure signing of RPMs.
/usr/bin/calligrabot
is also called directly by the "calligrabot" robosignatory
driver.
$ calligrabot --help Usage: calligrabot [OPTIONS] COMMAND [ARGS]... Options: -d, --debug Enable debugging output -n, --dry-run Dry run mode -c, --config-file FILE Path to the configuration file -u, --user-name TEXT User name -p, --principal TEXT Kerberos principal -k, --keytab TEXT Kerberos keytab --help Show this message and exit. Commands: sign-rpms $ calligrabot sign-rpms --help Usage: calligrabot sign-rpms [OPTIONS] KEYNAME [RPMS]... Options: -i, --koji-instance TEXT Use the specified Koji instance --help Show this message and exit. $ calligrabot -u _username_ sign-rpms _key_ howdy-1-1.el9.noarch.rpm
Please format code using black -l 79
.
Install packages required to test the python scripts:
$ sudo dnf install -y \ python3-robosignatory \ tox
Run the tests:
$ make test
MIT (see LICENSE file)