incubator-bigtop-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <ste...@apache.org>
Subject Fwd: Re: An ASF yum repository?
Date Tue, 28 Feb 2012 11:54:17 GMT

Here's an example of a script for yum copy & sign; this could go into 
the bigtop svn tree so we can play with it to make sure it works

-------- Original Message --------
Subject: Re: An ASF yum repository?
Date: Sun, 26 Feb 2012 16:36:36 +0200
From: Graham Leggett <minfrin@sharp.fm>
To: Henk P. Penning <penning@uu.nl>
CC: Steve Loughran <stevel@apache.org>, Tony Stevenson 
<pctony@apache.org>,        Apache Infrastructure 
<infrastructure@apache.org>

On 25 Feb 2012, at 8:59 PM, Henk P. Penning wrote:

>  sounds good ; better even than we have for the 'usual' stuff.
>
>  One problem : the KEYS file isn't authoritive in any way ;
>  it is just useless bag of keys ; it is better to start over.
>
>  I think we need
>
>  1 (per PMC) a file that indicates which (keys of) Release Managers
>    can sign stuff in what (sub) trees ;
>    this file must be signed by someone in the PMC ; see (2).
>
>  2 an ASF wide file indicating (for each project) which keys can sign
>    the "per PMC" files  in (1) ;
>    this file must be signed by a "well-know key" (keymaster-key).
>
>  With a dedicated keymaster (team), this would work, I think.
>  Time for a pilot ?

Perhaps a signing script like this that runs on a checkout of dist:

[minfrin@257233-app1 x86_64]$ cat ~/scan-incoming.sh
#!/bin/bash

INCOMING=${1}
# ASF keyid
KEYID=12345678
DEST=../release
RPMCHECK="/usr/bin/rpmsign -v -K"
RPMSIGN="echo ~/rpm-sign.expect"
SVN="echo /usr/bin/svn"

#
# Find every RPM file in the /sign directory in svn.
# For every correctly signed RPM, that isn't signed with the ASF KEY:
#  - Move the file to the /release directory; then
#  - Sign it with the ASF key; then
#  - Commit the changes.
#

cd ${INCOMING}
find . -type f -name \*.rpm | while read f
do
   ${RPMCHECK} "${f}" | grep -v "V3 DSA signature: OK, key ID ${KEYID}" 
| grep "V3 DSA signature: OK, key ID" > /dev/null
   if [ $? == 0 ]; then
     echo "Moving ${f} to ${DEST}/${f}"
     ${SVN} move ${f} ${DEST}/${f}
     echo "Signing ${f}"
     ${RPMSIGN} ${DEST}/${f}
     echo "Committing signed artifacts"
     ${SVN} commit -m "Signing ${f} with key ${KEYID}" ${f} ${DEST}/${f}
   fi
done

Turns out rpmsign is a bit brain dead, and refuses to work 
non-interactively, and an expect script seems to be the accepted workaround:

[minfrin@257233-app1 x86_64]$ cat ~/rpm-sign.expect
#!/usr/bin/expect -f
#

proc usage {} {
     send_user "Usage: rpm-sign.expect rpmfile\n\n"
     exit
}

if {[llength $argv]!=1} usage

set rpmfile [lrange $argv 0 0]

spawn rpm --addsign -D "_signature gpg" -D "_gpg_name Testing Key 
(Testing key for RPMs) <testing@apache.org>" $rpmfile
expect -exact "Enter pass phrase: "
send -- "passphrase\r"
expect eof

This would just need a location to run, where both rpm and yum are 
available.

Regards,
Graham
--


Mime
View raw message