signing rpms | narrabilis.com

By thomas, Fri, 07/24/2009 - 00:02

RPMs Needed

This is a list of the packages needed

puppet
puppet-server
facter
ruby-shadow

augeas
augeas-libs
ruby-augeas

func
certmaster
smolt
python-ctypes
python-paste
python-simplejson

Now, you'll need to either download the src rpm or binary rpms for the packages you wish to redistribute to your clients (Make sure you can legally redistribute these rpms). For our purposes we will need the func, puppet, facter and augeas rpms. We will download them from the epel repository. Using lftp is one of the quickest ways to find all the right files and download them. First we'll setup the directories for our repository, then we'll start downloading.

[root@server0 ~]# cd /var/www/html/install
[root@server0 install]# mkdir -p Local/SRPMS Local/i386 Local/x86_64
[root@server0 install]# cd Local
[root@server0 Local]# lftp http://download.fedora.redhat.com/pub/epel/5/x86_64/
cd ok, cwd=/pub/epel/5/x86_64                                              
lftp download.fedora.redhat.com:/pub/epel/5/x86_64> get puppet-0.24.8-1.el5.1.noarch.rpm 
554952 bytes transferred                                             
lftp download.fedora.redhat.com:/pub/epel/5/x86_64> get puppet-server-0.24.8-1.el5.1.noarch.rpm 
26918 bytes transferred                                                   
lftp download.fedora.redhat.com:/pub/epel/5/x86_64> get func-0.24-1.el5.noarch.rpm 
282228 bytes transferred                                     
...
lftp download.fedora.redhat.com:/pub/epel/5/x86_64> quit
[root@server0 Local]# ls
augeas-0.5.1-1.el5.x86_64.rpm       puppet-server-0.24.8-1.el5.1.noarch.rpm
augeas-libs-0.5.1-1.el5.x86_64.rpm  ruby-augeas-0.2.0-1.el5.x86_64.rpm
...
python-simplejson-2.0.3-2.el5.x86_64.rpm

At this point we have our rpms downloaded, we need to place them in the appropriate directories, and also sign them (they are signed by the epel repo at this point). We'll sign them first, this requires giving the signer user permission to write in the Local directory and setting the .rpmmacros file in signers home directory to use the correct signing key.

[root@server0 Local]# rpm -K augeas-0.5.1-1.el5.x86_64.rpm 
augeas-0.5.1-1.el5.x86_64.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#217521f6) 
[root@server0 Local]# chown -R signer:signer .
[root@server0 Local]# su - signer
[signer@server0 ~]$ gpg --list-keys
/home/signer/.gnupg/pubring.gpg
-------------------------------
pub   2048R/44CB93FD 2009-07-23 [expires: 2019-07-21]
uid                  Repository Signer (Example Com) 

[signer@server0 ~]$ cat .rpmmacros
> %_signature gpg
> %_gpg_name Repository Signer (Example Com) 
> EOF
[signer@server0 ~]$ cd /var/www/html/install/Local
[signer@server0 Local]$ rpm --resign *.rpm
Enter pass phrase: 
Pass phrase is good.
augeas-0.5.1-1.el5.x86_64.rpm:
augeas-libs-0.5.1-1.el5.x86_64.rpm:
facter-1.5.5-1.el5.noarch.rpm:
...
[signer@server0 Local]$ rpm -K augeas-0.5.1-1.el5.x86_64.rpm 
augeas-0.5.1-1.el5.x86_64.rpm: rsa sha1 (md5) pgp md5 OK