Create release signing key

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(initial checkin)
 
(still needs more work--in process checkin)
Line 4: Line 4:
 
== Action ==
 
== Action ==
 
1) Log into a system configured to run sigul client.
 
1) Log into a system configured to run sigul client.
 
== Verification ==
 
<!-- Provide a method to verify that the action completed as expected (success) -->
 
 
== Consider Before Running ==
 
 
  
 
2) Create the key, coming up with a good passphrase when prompted
 
2) Create the key, coming up with a good passphrase when prompted
Line 42: Line 36:
 
http://cvs.fedoraproject.org/viewvc/fedora-release/RPM-GPG-KEY-fedora-13-primary?revision=1.1&root=fedora&view=co
 
http://cvs.fedoraproject.org/viewvc/fedora-release/RPM-GPG-KEY-fedora-13-primary?revision=1.1&root=fedora&view=co
 
    
 
    
Add the key details to sigulsign_unsigned
+
git://git.fedorahosted.org/git/releng
  This lives in releng git repo in the scripts/ dir
+
 
 +
10) Add the key details to sigulsign_unsigned file which lives in the Release Engineering repo '''(need full URL)''' in the scripts/dir
 +
 
 
   Add the key to the KEYS dictionary near the top, need to know the key
 
   Add the key to the KEYS dictionary near the top, need to know the key
 
ID
 
ID
Line 51: Line 47:
 
   $ gpg --import <block>
 
   $ gpg --import <block>
 
   $ gpg --send-keys <keyid>
 
   $ gpg --send-keys <keyid>
 +
== Verification ==
 +
'''FIXME'''--need verification steps
 +
 +
== Consider Before Running ==
 +
 +
'''FIXME'''--anything to add here?
 +
 +
  
 
[[Category:Release Engineering SOPs]]
 
[[Category:Release Engineering SOPs]]

Revision as of 01:13, 22 January 2010

Contents

Description

At the beginning of each release under development a new package signing key is created for it. This key is used to prove the authenticity of packages built by Fedora and distributed by Fedora. This key will be used to sign all packages for the public test and final releases.

Action

1) Log into a system configured to run sigul client.

2) Create the key, coming up with a good passphrase when prompted

$ sigul new-key --key-admin jkeating --name-real Fedora --name-comment 13 --name-email fedora@fedoraproject.org fedora-13

3) wait a while for entropy

4) Grant key access to Fedora Account holders who will be signing packages. Protect the key access with a temporary a passphrase. For example, "CHANGEME."

$ sigul grant-key-access fedora-13 jwboyer

5) Provide the key name and temporary passphrase to signers

 If they don't respond, revoke access until they are ready to change their passphrase
$ sigul change-passphrase fedora-13 for all users

6) Add the key to fedora-release package

  $ sigul get-public-key fedora-13
  RPM-GPG-KEY-fedora-13-primary

7) Make sure the spec file will handle it correctly

8) Make a new fedora-release for rawhide (FIXME: this should be its own SOP)

9) Add the key to fedoraproject.org/keys by sending an email ascii block to webmaster@fedoraproject.org. It can also be retrieved from viewvc http://cvs.fedoraproject.org/viewvc/fedora-release/RPM-GPG-KEY-fedora-13-primary?revision=1.1&root=fedora&view=co

git://git.fedorahosted.org/git/releng

10) Add the key details to sigulsign_unsigned file which lives in the Release Engineering repo (need full URL) in the scripts/dir

 Add the key to the KEYS dictionary near the top, need to know the key

ID

 $ gpg <key block from get-public-key>

Upload the key to key servers

 $ gpg --import <block>
 $ gpg --send-keys <keyid>

Verification

FIXME--need verification steps

Consider Before Running

FIXME--anything to add here?