Release package signing
For each of Fedora's public releases (Alpha, Beta, and Final) it is Release Engineering's responsibility to sign all packages with Fedora's GPG key. This provides confidence to Fedora's users about the authenticity of packages provided by Fedora.
The Creating Release Signing Key SOP explains the process for creating the GPG key used.
Consider Before Running
This script takes a very long time to run, as much as 4 or 5 days, so it needs to be started well in advance of when you need the packages all signed.
Signing all the packages will cause a lot of churn on the mirrors, so expect longer than usual compose and rsync times, as well as potential issues with proxies as file contents change but the name remains the same.
1) Log into a system with
sigul and start a
screen session. The signing process takes a long time--screen allows the process to continue if you session gets disconnected.
$ screen -S sign
2) Check out the Release Engineering
$ git clone git://git.fedorahosted.org/git/releng
3) Change directories to the
scripts directory to execute
For example, to sign everything for Fedora 13 Alpha we would issue:
$ ./sigulsign_unsigned.py -vv --tag dist-f13 fedora-13
This signs the packages with verbose output so you can track progress incrementally.
Once the signing is done, use
rpmdev-checksig to verify that a package has been signed. You can use the output of a recent rawhide compose to test. In this example we use a released Fedora 12 package:
$ rpmdev-checksig /pub/fedora/linux/releases/12/Everything/i386/os/Packages/pungi-2.0.20-1.fc12.noarch.rpm /pub/fedora/linux/releases/12/Everything/i386/os/Packages/pungi-2.0.20-1.fc12.noarch.rpm: MISSING KEY - 57bbccba
This output shows that the apckage was signed with key 57bbccba, and that this key does not exist in your local rpm database. If the key did exist in the local rpm database it's likely there would be no output so it's best to run this on a system that does not have gpg keys imported.