Personal tools
     DOCUMENTATION

Conary:Signing Packages

From rPath Wiki

Jump to: navigation, search
 Forthcoming content note: The current information on this page is adapted from older interface text previously included in rBuilder. It needs to be reviewed, revised, and developed to stand alone, and it needs to be linked to some other documents which make reference to this activity.

The content on this page will soon be updated to reflect the change.


Conary includes support for signed packages using OpenPGP keys.

A project in rBuilder may require packages to be signed. Check with a project owner for the project to verify if this is necessary. The project owner can also help you get an OpenPGP key pair if you do not already have one or if the project requires a special key pair.

If the project owners for a project require you to sign packages, upload your public key to the project's repository. To do this, log in to rBuilder, click the "upload a package signing key" link below your username in the user panel on the right side of the page. Follow the instructions to upload your public key.

You can also use cvc addkey to add a key to a repository. Assuming you have a context named devel-context defined in your conaryrc file, and you have exported your PGP public key to a file named /path/to/my-key.pgp, one can run: 

 cvc addkey --context devel-context < /path/to/my-key.pgp

NOTE: You cannot use the above command if you do not have your password stored in your conaryrc file (if you type your password in when you submit anything to the repository). You must run 'cvc addkey', paste your pgp, ctrl-d (wait), enter password.

Configure Conary to use your key using the following two Conary configuration directives in conaryrc:

  • signatureKey
  • signatureKeyMap

These two options interact to provide package signing. It is possible to build up a list of keys and circumstances in which they should be used by repetitively including signatureKeyMap lines in one or more Conary configuration files; in such cases, the first signatureKeyMap line that matches is the value that will be used. However, when Conary encounters a signatureKey line, all previous signatureKeyMap and signatureKey settings are ignored, and Conary uses the setting of the current signatureKey.

There are different ways to configure Conary to use OpenPGP keys. The following approach works in situations in which you will sign packages for one project or multiple projects:

  • Edit .conaryrc to include the following line at the top: 
signatureKey    None

This line ensures that any system-wide signature-related settings (as in /etc/conaryrc) will be ignored. Note that if you do not also include other key-related settings in this file (or any project-specific Conary configuration file), Conary will never attempt to use a key to sign any packages.

  • Add a signatureKeyMap for the project in .conaryrc after the signatureKey line using the following format: 
signatureKeyMap  <regular-expression> <key-fingerprint>

Replace <regular-expression> with a regular expression matching the project's label and replace <key-fingerprint> with the fingerprint of the desired key.

The following is an example of a signatureKeyMap line for project gondor: 

signatureKeyMap gondor.devel.rpath.org@rpl:devel B1EE 5468 2429 249E 3C24  FD50 E55A 1E3D 2417 65F8

Note that to ensure this key is used on all the project's branches, you can replace everything after the @ in the project's label with dot asterisk (.*). Also note that the dots in the project's label should be replaced with a backward slash (\). Remember that this is a regular expression; leaving the label as it is will also work, but it creates the possibility of inadvertent matches.

Use the following command to obtain the fingerprint for your key: 

gpg --list-keys --fingerprint

The following formats are acceptable for identifying the key (all would reference the same key):

  • B1EE 5468 2429 249E 3C24 FD50 E55A 1E3D 2417 65F8 (fingerprint, as returned by the gpg command above)
  • B1EE54682429249E3C24FD50E55A1E3D241765F8 (fingerprint)
  • E55A1E3D241765F8 (8-byte key ID)
  • 241765F8 (4-byte key ID)

If you need additional keys for additional projects, or if you need separate keys for specific branches in a single project, add the appropriate signatureKeyMap lines, one after the other, in your .conaryrc file after the signatureKey line at the top of the file. This provides the settings the for all the keys for which Conary is configured in a single configuration file.

To use a key, an ASCII-armored version of your public key must be installed in your user account on your rBA under "edit my account" -> "Package Signing Keys".

To obtain an ASCII-armored copy of your PGP public key, run the following gpg command (assuming your key ID is 241765F8 and you want to save the key as /path/to/my-key.gpg): 

gpg --export --armor -o /path/to/my-key.gpg 241765F8

You can view your keys by running: 

cvc listkeys

or browsing to http://<rBA FQDN>/rbuilder/repos/<project>/pgpAdminForm

Retrieved from "http://wiki.rpath.com/wiki/Conary:Signing_Packages"