On Thu, May 25, 2006 at 05:18:06PM +0200, Pascal Bleser wrote:
Trying to add signatures to my (yast2) RPM repository
A couple of unclear things in there I'd like to poke on.
"When YaST detects an installation source it checks if the file
"products" is there, and then checks if it is signed with a known key.
If it is not signed at all or with an unknown key, or if the key is on
the media, but not trusted (yet), the user will be asked what to do."
"The key is usually also on the installation media as
What it doesn't say clearly is where/how YaST2 will try to fetch the
armored/exported key in order to propose importing it.
I assume it uses whatever is defined in "content" using the "KEY"
(see below). Correct ?
For /content it is /content.key.
For repomd.xml it is /repomd.xml.key.
Not sure for SUSE old-style sources.
I would have to check the source ;)
"The "content" file is signed in the same manner as the
so there is a "content.key" (usually, but not necessarily the same as
Those "content.key"/"products.key" files are not mentioned anywhere
Are those copies of the ASCII-armored, exported GPG key ?
Yes. ASCII Armor is not necessary.
"META keys are added for all files in the directory named in the key
So in "content" I should have something like:
KEY SHA1 33ad20fe228350dc4e0f0cd7967460c31266af36 gpg-pubkey-guru.asc
META SHA1 4baafd9998ea4e20245f82e507c6db6b723f4597 packages
META SHA1 965ba5faeea815d41ba308ffd193b78505b26c1c directory.yast
META SHA1 4565f769ae573f89dddbf2eef1357b59a88ad1df packages.DU
META SHA1 c53400cdb9e16ac0d9add587585fc77c86f132c5 packages.en
"Before YaST uses any file from DESCRDIR it will look up the entry in
"content". This entry is currently a SHA1 checksum followed by the
package name. This may change to a SHA256 checksum."
A "package" name ? I suppose what is meant here is "file" name. Is it
A filename, yes.
"The next step in the chain is the file "packages" in DESCRDIR.
If you are familiar with its syntax you will see that we added a new tag
there, too, right after the "Pgk:" tag. Here is an example of the first
two lines of the entry for the default kernel:
=Pkg: kernel-default 2.6.16 13 i586
=Cks: SHA1 8c8eb2b605e1d626c22bea8dd0c3b05885432b16
Again we have a SHA1 checksum."
Maybe it should be mentioned that one must use create_package_descr from
10.1 or Factory (I only checked the one from autoyast2-2.13.59.tar.bz2)
What about older versions ?
If I use create_package_descr from 10.1/Factory, that adds those =Cks:
tags into the "packages" file, can I also use it to generate
for, say, 10.0/9.3/9.2/9.1 ?
Or will YaST2 on 10.0 and older bark, saying that it does not know
anything about the "=Cks:" tag ?
I dont know.
To unsubscribe, e-mail: opensuse-packaging-unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-packaging-help(a)opensuse.org