On 2012-07-29 18:48 +0200 Magnus Therning wrote:
Correct me if I'm wrong in this assumption, but I need to have the following three items available when running the script:
1. The newly-built package. 2. The repo database (x.db.tar.gz) I'm adding the package to. 3. The secret key.
1 & 3, yes. If you have all of the packages then the full database will be recreated so you don't actually need 2, but if it's present then it will be updated with the selected packages.
This is a slight problem for me. I build on kiwilight (where I'm not alone in having root access), the database is on xsounds.org (where I don't have root access at all), and to be fully comfortable I'd like to keep the secret key and perform the signing on my own machine :-)
Is there some way to simply extract the actual data that is to be signed (the hashes), and perform the actual signing manually?
I'm not sure, but I think gpg needs the full file to generate the signature. There might be some way to dig the hashing algorithm out of the source code and then create your own remote signing function with it, but that would require knowledge of gpg internals. One solution might be to build the packages on kiwilight, then mount the directory of built packages with sshfs. You could then run the signing script locally. I don't know much bandwith that will use, but I think it's worth trying. In the worst case scenario, it will be equivalent to downloading the packages. Whether or not that's a problem depends on your connection. If I understand the problem correctly, you do not generate the database yourself. That should not be a problem for package signatures, as repo-add will include them in the database as long as the signature files are present when it adds the packages. If you can't remote-mount xsounds with sshfs and sign the database there, just download it and sign it locally then upload the database signature file. If that is not possible for whatever reason, just having package signatures is better than nothing. However, given what you've said about not being the only one to have access to these repos, I think package signing in this case is very important. I would also like to know who does have access to these files. On kiwilight I believe that it is only Kaiting, who is a TU. Who has access on xsounds? Could you simply make kiwilight the main host and have xsounds mirror it? The process would then be the following: 1) ssh into kiwilight, build, and move to haskell/$arch if necessary 2) mount haskell/$arch via ssh and run the signing script locally You would then have a fully signed repo in haskell/$arch that can be mirrored by xsounds.