| |
@@ -0,0 +1,536 @@
|
| |
+ == Create Release Signing Key
|
| |
+
|
| |
+ === Description
|
| |
+
|
| |
+ At the beginning of each release under development a new package signing
|
| |
+ key is created for it. This key is used to prove the authenticity of
|
| |
+ packages built by Fedora and distributed by Fedora. This key will be
|
| |
+ used to sign all packages for the public test and final releases.
|
| |
+
|
| |
+ === Action
|
| |
+
|
| |
+ ==== Sigul
|
| |
+
|
| |
+ Sigul is the signing server which holds our keys. In order to make use
|
| |
+ of a new key, the key will have to be created and access to the key will
|
| |
+ have to be granted. The `new-key`, `grant-key-access`, and
|
| |
+ `change-passphrase` commands are used.
|
| |
+
|
| |
+ ....
|
| |
+ $ sigul new-key --help
|
| |
+ usage: client.py new-key [options] key
|
| |
+
|
| |
+ Add a key
|
| |
+
|
| |
+ options:
|
| |
+ -h, --help show this help message and exit
|
| |
+ --key-admin=USER Initial key administrator
|
| |
+ --name-real=NAME_REAL
|
| |
+ Real name of key subject
|
| |
+ --name-comment=NAME_COMMENT
|
| |
+ A comment about of key subject
|
| |
+ --name-email=NAME_EMAIL
|
| |
+ E-mail of key subject
|
| |
+ --expire-date=YYYY-MM-DD
|
| |
+ Key expiration date
|
| |
+
|
| |
+ $ sigul grant-key-access --help
|
| |
+ usage: client.py grant-key-access key user
|
| |
+
|
| |
+ Grant key access to a user
|
| |
+
|
| |
+ options:
|
| |
+ -h, --help show this help message and exit
|
| |
+
|
| |
+ $ sigul change-passphrase --help
|
| |
+ usage: client.py change-passphrase key
|
| |
+
|
| |
+ Change key passphrase
|
| |
+
|
| |
+ options:
|
| |
+ -h, --help show this help message and exit
|
| |
+ ....
|
| |
+
|
| |
+ For example if we wanted to create the Fedora 23 signing key, we would
|
| |
+ do the following:
|
| |
+
|
| |
+ . Log into a system configured to run sigul client.
|
| |
+ . Create the key using a strong passphrase when prompted
|
| |
+ +
|
| |
+ ....
|
| |
+ $ sigul new-key --key-admin ausil --key-type gnupg \
|
| |
+ --gnupg-name-real Fedora \
|
| |
+ --gnupg-name-comment 23 \
|
| |
+ --gnupg-name-email fedora-23-primary@fedoraproject.org fedora-23
|
| |
+ ....
|
| |
+ +
|
| |
+ For EPEL
|
| |
+ +
|
| |
+ ....
|
| |
+ $ sigul new-key --key-admin ausil --key-type gnupg \
|
| |
+ --gnupg-name-real "Fedora EPEL" \
|
| |
+ --gnupg-name-comment 7 \
|
| |
+ --gnupg-name-email epel@fedoraproject.org epel-7
|
| |
+ ....
|
| |
+ . Wait a while for entropy. This can take several minutes.
|
| |
+ . For Fedora, also create the IMA signing key
|
| |
+ +
|
| |
+ ....
|
| |
+ $ sigul new-key --key-admin ausil --key-type ECC fedora-23-ima
|
| |
+ ....
|
| |
+ . Grant key access to Fedora Account holders who will be signing
|
| |
+ packages and protect it with a temporary a passphrase. For example,
|
| |
+ `CHANGEME.`. Do the same with the -ima key for Fedora.
|
| |
+ +
|
| |
+ ....
|
| |
+ $ sigul grant-key-access fedora-23 kevin
|
| |
+ ....
|
| |
+
|
| |
+ [NOTE]
|
| |
+ .Note
|
| |
+ ====
|
| |
+ *IMPORTANT:* Grant the access to autopen user as it's required for
|
| |
+ robosignatory autosigning and then restart robosignatory service
|
| |
+ ====
|
| |
+
|
| |
+ . Provide the key name and temporary passphrase to signers. If they
|
| |
+ don't respond, revoke access until they are ready to change their
|
| |
+ passphrase. Signers can change their passphrase using the
|
| |
+ `change-passphrase` command:
|
| |
+ +
|
| |
+ ....
|
| |
+ $ sigul change-passphrase fedora-23
|
| |
+ ....
|
| |
+ . When your sigul cert expires, you will need to run:
|
| |
+ +
|
| |
+ ....
|
| |
+ certutil -d ~/.sigul -D -n sigul-client-cert
|
| |
+ ....
|
| |
+ +
|
| |
+ to remove the old cert, then
|
| |
+ +
|
| |
+ ....
|
| |
+ sigul_setup_client
|
| |
+ ....
|
| |
+ +
|
| |
+ to add a new one.
|
| |
+
|
| |
+ ==== fedora-repos
|
| |
+
|
| |
+ The fedora-repos package houses a copy of the public key information.
|
| |
+ This is used by rpm to verify the signature on files encountered.
|
| |
+ Currently the fedora-repos package has a single key file named after the
|
| |
+ version of the key and the arch the key is for. To continue our example,
|
| |
+ the file would be named `RPM-GPG-KEY-fedora-27-primary` which is the
|
| |
+ primary arch key for Fedora 27. To create this file, use the
|
| |
+ `get-public-key` command from sigul:
|
| |
+
|
| |
+ ....
|
| |
+ $ sigul get-public-key fedora-27 > RPM-GPG-KEY-fedora-27-primary
|
| |
+ ....
|
| |
+
|
| |
+ Add this file to the repo and update the archmap file for the new
|
| |
+ release.
|
| |
+
|
| |
+ ....
|
| |
+ $ git add RPM-GPG-KEY-fedora-27-primary
|
| |
+ ....
|
| |
+
|
| |
+ Then make a new fedora-repos build for rawhide
|
| |
+ (`FIXME: this should be its own SOP`)
|
| |
+
|
| |
+ ==== getfedora.org
|
| |
+
|
| |
+ getfedora.org/keys lists information about all of our keys. We need to
|
| |
+ let the websites team know we have created a new key so that they can
|
| |
+ add it to the list.
|
| |
+
|
| |
+ We do this by filing an issues in their pagure instance
|
| |
+ https://pagure.io/fedora-websites/ we should point them at this SOP
|
| |
+
|
| |
+ ===== Web team SOP
|
| |
+
|
| |
+ ....
|
| |
+ # from git repo root
|
| |
+ cd fedoraproject.org/
|
| |
+ curl $KEYURL > /tmp/newkey
|
| |
+ $EDITOR update-gpg-keys # Add key ID of recently EOL'd version to obsolete_keys
|
| |
+ ./update-gpg-key /tmp/newkey
|
| |
+ gpg static/fedora.gpg # used to verify the new keyring
|
| |
+ # it should look something like this:
|
| |
+ # pub 4096R/57BBCCBA 2009-07-29 Fedora (12) <fedora@fedoraproject.org>
|
| |
+ # pub 4096R/E8E40FDE 2010-01-19 Fedora (13) <fedora@fedoraproject.org>
|
| |
+ # pub 4096R/97A1071F 2010-07-23 Fedora (14) <fedora@fedoraproject.org>
|
| |
+ # pub 1024D/217521F6 2007-03-02 Fedora EPEL <epel@fedoraproject.org>
|
| |
+ # sub 2048g/B6610DAF 2007-03-02 [expires: 2017-02-27]
|
| |
+ # it must only have the two supported versions of fedora, rawhide and EPEL
|
| |
+ # also verify that static/$NEWKEY.txt exists
|
| |
+ $EDITOR data/content/{keys,verify}.html # see git diff 1840f96~ 1840f96
|
| |
+ ....
|
| |
+
|
| |
+ ==== sigulsign_unsigned
|
| |
+
|
| |
+ `sigulsign_unsigned.py` is the script Release Engineers use to sign
|
| |
+ content in koji. This script has a hardcoded list of keys and aliases to
|
| |
+ the keys that needs to be updated when we create new keys.
|
| |
+
|
| |
+ Add the key details to the `KEYS` dictionary near the top of the
|
| |
+ `sigulsign_unsigned.py` script. It lives in Release Engineering's git
|
| |
+ repo at `ssh://git@pagure.io/releng.git` in the `scripts` directory. You
|
| |
+ will need to know the key ID to insert the correct information:
|
| |
+
|
| |
+ ....
|
| |
+ $ gpg <key block from sigul get-public-key>
|
| |
+ ....
|
| |
+
|
| |
+ ==== Public Keyservers
|
| |
+
|
| |
+ We upload the key to the public key servers when we create the keys. To
|
| |
+ do this, we need to get the ascii key block from sigul, determine the
|
| |
+ key ID, import they key into our local keyring, and then upload it to
|
| |
+ the key servers.
|
| |
+
|
| |
+ ....
|
| |
+ $ sigul get-public-key fedora-13 > fedora-13
|
| |
+ $ gpg fedora-13 (The ID is the "E8E40FDE" part of 4096R/E8E40FDE)
|
| |
+ $ gpg --import fedora-13
|
| |
+ $ gpg --send-keys E8E40FDE
|
| |
+ ....
|
| |
+
|
| |
+ ==== pungi-fedora
|
| |
+
|
| |
+ The nightly compose configs come from the pungi-fedora project on
|
| |
+ https://pagure.io We need to create a pull request to pull in the new
|
| |
+ key.
|
| |
+
|
| |
+ ....
|
| |
+ $ git clone ssh://git@pagure.io/<your fork path>/pungi-fedora.git
|
| |
+ $ cd pungi-fedora
|
| |
+ $ vim *conf
|
| |
+ <set key value in sigkeys = line >
|
| |
+ $ git commit -m 'Add new key'
|
| |
+ $ git push
|
| |
+ $ file a Pull Request
|
| |
+ ....
|
| |
+
|
| |
+ ==== Koji
|
| |
+
|
| |
+ Koji has a garbage collection utility that will find builds that meet
|
| |
+ criteria to be removed to save space. Part of that criteria has to do
|
| |
+ with whether or not the build has been signed with a key. If the
|
| |
+ collection utility doesn't know about a key it will ignore the build.
|
| |
+ Thus as we create new keys we need to inform the utility of these keys
|
| |
+ or else builds can pile up. The configuration for the garbage collection
|
| |
+ lives within ansible.
|
| |
+
|
| |
+ On a clone of the infrastructure ansible git repo edit the
|
| |
+ roles/koji_hub/templates/koji-gc.conf.j2 file:
|
| |
+
|
| |
+ ....
|
| |
+ diff --git a/roles/koji_hub/templates/koji-gc.conf.j2 b/roles/koji_hub/templates/koji-gc.conf.j2
|
| |
+ index 9ecb750..9c48a8e 100644
|
| |
+ --- a/roles/koji_hub/templates/koji-gc.conf.j2
|
| |
+ +++ b/roles/koji_hub/templates/koji-gc.conf.j2
|
| |
+ @@ -35,6 +35,7 @@ key_aliases =
|
| |
+ 81B46521 fedora-24
|
| |
+ FDB19C98 fedora-25
|
| |
+ 64DAB85D fedora-26
|
| |
+ + F5282EE4 fedora-27
|
| |
+ 217521F6 fedora-epel
|
| |
+ 0608B895 fedora-epel-6
|
| |
+ 352C64E5 fedora-epel-7
|
| |
+ @@ -52,6 +53,7 @@ unprotected_keys =
|
| |
+ fedora-24
|
| |
+ fedora-25
|
| |
+ fedora-26
|
| |
+ + fedora-27
|
| |
+ fedora-extras
|
| |
+ redhat-beta
|
| |
+ fedora-epel
|
| |
+ @@ -91,6 +93,7 @@ policy =
|
| |
+ sig fedora-24 && age < 12 weeks :: keep
|
| |
+ sig fedora-25 && age < 12 weeks :: keep
|
| |
+ sig fedora-26 && age < 12 weeks :: keep
|
| |
+ + sig fedora-27 && age < 12 weeks :: keep
|
| |
+ sig fedora-epel && age < 12 weeks :: keep
|
| |
+ sig fedora-epel-6 && age < 12 weeks :: keep
|
| |
+ sig fedora-epel-7 && age < 12 weeks :: keep
|
| |
+ ....
|
| |
+
|
| |
+ In this case the fedora-epel key was added to the list of key aliases,
|
| |
+ then referenced in the list of unprotected_keys, and finally a policy
|
| |
+ was created for how long to keep builds signed with this key.
|
| |
+
|
| |
+ Once you've made your change commit and push. The buildsystem will pick
|
| |
+ up this change the next time puppet refreshes.
|
| |
+
|
| |
+ === Verification
|
| |
+
|
| |
+ We can verify that the key was created in sigul, the correct users have
|
| |
+ access to the key, the key was added to the fedora-release package, that
|
| |
+ the website was updated with the right key, that sigulsign_unsigned was
|
| |
+ properly updated, and that the key was successfully updated to the
|
| |
+ public key servers.
|
| |
+
|
| |
+ ==== sigul
|
| |
+
|
| |
+ Use the `list-keys` command to verify that the key was indeed added to
|
| |
+ sigul:
|
| |
+
|
| |
+ ....
|
| |
+ $ sigul list-keys
|
| |
+ Administrator's password:
|
| |
+ fedora-10
|
| |
+ fedora-10-testing
|
| |
+ fedora-11
|
| |
+ fedora-12
|
| |
+ fedora-13
|
| |
+ ....
|
| |
+
|
| |
+ Our new key should be on the list. This command expects *your*
|
| |
+ administrative password.
|
| |
+
|
| |
+ Use the `list-key-users` command to verify all the signers have access:
|
| |
+
|
| |
+ ....
|
| |
+ $ sigul list-key-users fedora-13
|
| |
+ Key passphrase:
|
| |
+ jkeating
|
| |
+ jwboyer
|
| |
+ ....
|
| |
+
|
| |
+ This command expects *your* key passphrase for the key in question.
|
| |
+
|
| |
+ ==== fedora-release
|
| |
+
|
| |
+ To verify that the key was added to this package correctly, download the
|
| |
+ latest build from koji and run rpm2cpio on it, then run gpg on the key
|
| |
+ file:
|
| |
+
|
| |
+ ....
|
| |
+ $ koji download-build --arch noarch --latest f27 fedora-repos
|
| |
+ fedora-repos-rawhide-27-0.1.noarch.rpm | 7.3 kB 00:00:00
|
| |
+ fedora-repos-27-0.1.noarch.rpm | 87 kB 00:00:00
|
| |
+ $ rpmdev-extract fedora-repos-27-0.1.noarch.rpm
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-27-fedora
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-10-i386
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-10-ppc
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-10-ppc64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-10-primary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-10-x86_64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-11-i386
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-11-ppc
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-11-ppc64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-11-primary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-11-x86_64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-12-i386
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-12-ppc
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-12-ppc64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-12-primary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-12-x86_64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-13-arm
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-13-armhfp
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-13-i386
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-13-mips
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-13-primary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-13-secondary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-13-x86_64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-14-i386
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-14-primary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-14-x86_64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-15-arm
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-15-armhfp
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-15-i386
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-15-ppc
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-15-ppc64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-15-primary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-15-s390
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-15-s390x
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-15-secondary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-15-x86_64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-16-arm
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-16-armhfp
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-16-i386
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-16-ppc
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-16-ppc64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-16-primary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-16-s390
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-16-s390x
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-16-secondary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-16-x86_64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-17-arm
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-17-armhfp
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-17-i386
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-17-ppc
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-17-ppc64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-17-primary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-17-s390
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-17-s390x
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-17-secondary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-17-x86_64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-18-arm
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-18-armhfp
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-18-i386
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-18-ppc
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-18-ppc64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-18-primary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-18-s390
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-18-s390x
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-18-secondary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-18-x86_64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-19-armhfp
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-19-i386
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-19-ppc
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-19-ppc64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-19-primary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-19-s390
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-19-s390x
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-19-secondary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-19-x86_64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-armhfp
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-i386
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-ppc
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-ppc64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-primary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-s390
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-s390x
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-secondary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-x86_64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-21-aarch64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-21-armhfp
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-21-i386
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-21-ppc64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-21-ppc64le
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-21-primary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-21-s390
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-21-s390x
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-21-secondary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-21-x86_64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-22-aarch64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-22-armhfp
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-22-i386
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-22-ppc64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-22-ppc64le
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-22-primary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-22-s390
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-22-s390x
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-22-secondary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-22-x86_64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-23-aarch64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-23-armhfp
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-23-i386
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-23-ppc64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-23-ppc64le
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-23-primary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-23-s390
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-23-s390x
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-23-secondary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-23-x86_64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-24-aarch64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-24-armhfp
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-24-i386
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-24-ppc64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-24-ppc64le
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-24-primary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-24-s390x
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-24-secondary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-24-x86_64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-aarch64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-armhfp
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-i386
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-ppc64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-ppc64le
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-s390x
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-secondary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-x86_64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-26-aarch64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-26-armhfp
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-26-i386
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-26-ppc64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-26-ppc64le
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-26-primary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-26-s390x
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-26-secondary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-26-x86_64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-27-aarch64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-27-armhfp
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-27-i386
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-27-ppc64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-27-ppc64le
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-27-primary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-27-s390x
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-27-x86_64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-7-primary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-8-i386
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-8-ppc
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-8-ppc64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-8-primary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-8-primary-original
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-8-x86_64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-9-i386
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-9-ia64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-9-ppc
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-9-ppc64
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-9-primary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-9-primary-original
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-9-secondary
|
| |
+ fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-9-x86_64
|
| |
+ fedora-repos-27-0.1.noarch/etc/yum.repos.d
|
| |
+ fedora-repos-27-0.1.noarch/etc/yum.repos.d/fedora-cisco-openh264.repo
|
| |
+ fedora-repos-27-0.1.noarch/etc/yum.repos.d/fedora-updates-testing.repo
|
| |
+ fedora-repos-27-0.1.noarch/etc/yum.repos.d/fedora-updates.repo
|
| |
+ fedora-repos-27-0.1.noarch/etc/yum.repos.d/fedora.repo
|
| |
+
|
| |
+ $ gpg2 fedora-repos-27-0.1.noarch/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-27-primary
|
| |
+ pub rsa4096 2017-02-21 [SCE]
|
| |
+ 860E19B0AFA800A1751881A6F55E7430F5282EE4
|
| |
+ uid Fedora 27 (27) <fedora-27@fedoraproject.org>
|
| |
+ pub 4096R/E8E40FDE 2010-01-19 Fedora (13) <fedora@fedoraproject.org>
|
| |
+ ....
|
| |
+
|
| |
+ You may wish to do this in a tempoary directory to make cleaning it up
|
| |
+ easy.
|
| |
+
|
| |
+ ==== getfedora.org
|
| |
+
|
| |
+ One can simply browse to https://getfedora.org/keys to verify that the
|
| |
+ key has been uploaded.
|
| |
+
|
| |
+ ==== sigulsign_unsigned
|
| |
+
|
| |
+ The best way to test whether or not the key has been added correctly is
|
| |
+ to sign a package using the key, like our newly built fedora-repos
|
| |
+ package.
|
| |
+
|
| |
+ ....
|
| |
+ $ ./sigulsign_unsigned.py fedora-13 fedora-release-13-0.3
|
| |
+ Passphrase for fedora-13:
|
| |
+ ....
|
| |
+
|
| |
+ The command should exit cleanly.
|
| |
+
|
| |
+ ==== Public key servers
|
| |
+
|
| |
+ One can use the <code>search-keys</code> command from gpg to locate the
|
| |
+ key on the public server:
|
| |
+
|
| |
+ ....
|
| |
+ $ gpg2 --search-keys "Fedora (13)"
|
| |
+ gpg: searching for "Fedora (13)" from hkp server subkeys.pgp.net
|
| |
+ (1) Fedora (13) <fedora@fedoraproject.org>
|
| |
+ 4096 bit RSA key E8E40FDE, created: 2010-01-19
|
| |
+ ...
|
| |
+ ....
|
| |
+
|
| |
+ ==== Koji
|
| |
+
|
| |
+ Log into koji02.phx2.fedoraproject.org by way of
|
| |
+ bastion.fedoraproject.org.
|
| |
+
|
| |
+ Verify that `/etc/koji-gc/koji-gc.conf` has the new key in it.
|
| |
+
|
| |
+ === Consider Before Running
|
| |
+
|
| |
+ Nothing at this time.
|
| |
Signed-off-by: Tomas Hrcka thrcka@redhat.com