(still needs more work--in process checkin) |
No edit summary |
||
| Line 5: | Line 5: | ||
1) Log into a system configured to run sigul client. | 1) Log into a system configured to run sigul client. | ||
2) Create the key | 2) Create the key using a strong passphrase when prompted | ||
<pre> | <pre> | ||
$ sigul new-key --key-admin jkeating --name-real Fedora --name-comment 13 --name-email fedora@fedoraproject.org fedora-13 | $ sigul new-key --key-admin jkeating --name-real Fedora --name-comment 13 --name-email fedora@fedoraproject.org fedora-13 | ||
</pre> | </pre> | ||
3) | 3) Wait a while for entropy | ||
4) Grant key access to Fedora Account holders who will be signing packages | 4) Grant key access to Fedora Account holders who will be signing packages and protect it with a temporary a passphrase. For example, "CHANGEME." | ||
<pre> | <pre> | ||
$ sigul grant-key-access fedora-13 jwboyer | $ sigul grant-key-access fedora-13 jwboyer | ||
</pre> | </pre> | ||
5) Provide the key name and temporary passphrase to signers | 5) Provide the key name and temporary passphrase to signers. If they don't respond, revoke access until they are ready to change their passphrase | ||
<pre> | <pre> | ||
$ sigul change-passphrase fedora-13 for all users | $ sigul change-passphrase fedora-13 for all users | ||
| Line 25: | Line 24: | ||
6) Add the key to fedora-release package | 6) Add the key to fedora-release package | ||
<pre> | <pre> | ||
$ sigul get-public-key fedora-13 | $ sigul get-public-key fedora-13 RPM-GPG-KEY-fedora-13-primary | ||
</pre> | </pre> | ||
7) Make sure the spec file will handle it correctly | 7) Make sure the spec file will handle it correctly | ||
* '''FIXME''': need more detail here | |||
8) Make a new fedora-release for rawhide ('''FIXME''': this should be its own SOP) | 8) Make a new fedora-release for rawhide ('''FIXME''': this should be its own SOP) | ||
| Line 35: | Line 34: | ||
9) Add the key to fedoraproject.org/keys by sending an email ascii block to webmaster@fedoraproject.org. It can also be retrieved from viewvc | 9) Add the key to fedoraproject.org/keys by sending an email ascii block to webmaster@fedoraproject.org. It can also be retrieved from viewvc | ||
http://cvs.fedoraproject.org/viewvc/fedora-release/RPM-GPG-KEY-fedora-13-primary?revision=1.1&root=fedora&view=co | http://cvs.fedoraproject.org/viewvc/fedora-release/RPM-GPG-KEY-fedora-13-primary?revision=1.1&root=fedora&view=co | ||
10) Add the key details to sigulsign_unsigned | 10) Add the key details to the <code>KEYS dictionary near the top of the <code>sigulsign_unsigned.py</code>script. It lives in Release Engineering's git repo at <code>git://git.fedorahosted.org/git/releng</code> in the <code>scripts</code> directory. You will need to know the key ID to insert the correct information: | ||
<pre> | |||
$ gpg <key block from get-public-key> | |||
</pre> | |||
11) Upload the key to key servers | |||
<pre> | |||
$ gpg --import <block> | $ gpg --import <block> | ||
$ gpg --send-keys <keyid> | $ gpg --send-keys <keyid> | ||
</pre> | |||
== Verification == | == Verification == | ||
'''FIXME'''--need verification steps | '''FIXME'''--need verification steps | ||
Revision as of 00:47, 23 January 2010
Description
At the beginning of each release under development a new package signing key is created for it. This key is used to prove the authenticity of packages built by Fedora and distributed by Fedora. This key will be used to sign all packages for the public test and final releases.
Action
1) Log into a system configured to run sigul client.
2) Create the key using a strong passphrase when prompted
$ sigul new-key --key-admin jkeating --name-real Fedora --name-comment 13 --name-email fedora@fedoraproject.org fedora-13
3) Wait a while for entropy
4) Grant key access to Fedora Account holders who will be signing packages and protect it with a temporary a passphrase. For example, "CHANGEME."
$ sigul grant-key-access fedora-13 jwboyer
5) Provide the key name and temporary passphrase to signers. If they don't respond, revoke access until they are ready to change their passphrase
$ sigul change-passphrase fedora-13 for all users
6) Add the key to fedora-release package
$ sigul get-public-key fedora-13 RPM-GPG-KEY-fedora-13-primary
7) Make sure the spec file will handle it correctly
- FIXME: need more detail here
8) Make a new fedora-release for rawhide (FIXME: this should be its own SOP)
9) Add the key to fedoraproject.org/keys by sending an email ascii block to webmaster@fedoraproject.org. It can also be retrieved from viewvc http://cvs.fedoraproject.org/viewvc/fedora-release/RPM-GPG-KEY-fedora-13-primary?revision=1.1&root=fedora&view=co
10) Add the key details to the KEYS dictionary near the top of the sigulsign_unsigned.pyscript. It lives in Release Engineering's git repo at git://git.fedorahosted.org/git/releng in the scripts directory. You will need to know the key ID to insert the correct information:
$ gpg <key block from get-public-key>
11) Upload the key to key servers
$ gpg --import <block>
$ gpg --send-keys <keyid>
Verification
FIXME--need verification steps
Consider Before Running
FIXME--anything to add here?