Tuesday, February 3, 2015

Koji Copy Signed

Recently I implemented a Koji RPM Build Server at my place of work. When it came time to signing packages before mashing repo's I was faced with a small dilemma. Sigul signing server is a great solution for signing hundreds of packages and moving them to the correct destination on disk for mash to pick them up from and mash together a repo. However for my use we would not need something so robust as we only would require a hundred or so packages in total, thus I set out in search of a simpiler solution. Fortunately I found one. A koji plugin by the name of sign.py written by Paul B Schroeder <paulbsch "at" vbridges "dot" com>. It is a neat little plugin which signs packages at build time. The issue I ran into was that the packages would be signed at build then left in /mnt/koji/packages/pkgname/#/#/arch/package.rpm Mash when using strict_keys for packages looks under /mnt/koji/packages/pkgname/#/#/data/signed/keyid/arch/package.rpm for the signed packages to mash into a repo. I plan on eventually implementing this change directly into the plugin but since I was in a hurry I whipped up a quick script to run in between mash crons which copies the signed rpms to the correct location for mash to pickup.

I will admit this is a bit redundant since the packages are already signed at build time and can be mashed into a repo just fine provided I don't set strict_keys with mash. I prefer this method as it ensures packages mashed into repos's have the key I specify. In terms of disk space I rationalize this concern with the idea that if i were to implement sigul the rpms would be copied to the same signed dir as my solution here so really either way I'd be eating up space in two places for the same RPM.

The script can be found on github @ copy_signed.py