EMI package signing procedure

Preparing the Signing Infrastructure

  1. Generate a key like this
  2. Generate a revocation certificate like this. Probably this will not be used, but always good to have one.
  3. Back up the key in this way
  4. Nominate a place where public key will be published, and circulate this information using the relevant lists and tools. See here.
  5. Nominate 2 people who are allowed to own the key and who know the password, they will be the signing responsible persons (SRPs). See here.

Signing Procedure

Generating the key

GnuPG is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC4880. Steps followed to generate the EMI signing key:

  1. Disconnect the computer from the network, disable wifi and bluetooth
  2. Create a temporarly directory
            mydir=`mktemp -d /tmp/tmpXXXXXX`
            chmod 700 $mydir
            export GNUPGHOME="$mydir"
            gpg --gen-key
    Answer the questions, choose key length 2048 and no expire time..
  3. Back up the key immediately to a USB drive
  4. Delete the directories
            rm -rf $mydir
            unset $GNUPGHOME
  5. Completely delete the file from the hard disk (using "shred" utility)
           shred -fv -n 30 --remove $mydir/*
  6. Unmount and remove USB drive, reboot computer.
  7. Now, the computer can be reconnected to the network.

Generating the revocation certificate

A revocation certificate is necessary if the private key has been compromised or its password lost. Probably this will not be used, but always good to have one.
        gpg --output revoke.asc --gen-revoke keyID
The generated revocation certificate is short. It was printed out on a networkless-printer and keep separately from the private key, but still in a very safe place.

Backing up the key

  • The public part of the key was exported using:
        gpg -ao certifkey.pub --export keyID
  • The private part was exported using:
        gpg -ao certifkey.key --export-secret-keys keyID

  • Backed up a paper copy of the private key and on a USB drive

Compromised key

Password is compromised

If the password of the private key has been compromised but not used, one can change the password on the private key, by using
         gpg --edit-key keyID  passwd

Private key is compromised

If there is a chance that the private key is compromised is wikk be revoked immediately. If the public key was part of a keyring, then the revocation certificate will be posted to the same keyring exactly the same way as it was posted the key. The keyring servers are add-only, so there is no way to withdraw a revocation certificate. Once it is posted the key is revoked.

Publishing the key

The public part of the key is:
  • published on the project's website together with it's fingerprint.
  • included in the emi-release package, in file /etc/pki/rpm-gpg/RPM-GPG-KEY-emi

Signing rpm packages

Import the key

In order to sign the package one has to import the keys. To restore the key from the backup, simply import it with
        gpg --import certifkey.key

Signing the packages

Once the component release candidates are declared verified by the SA1 QC team, before moving the packages from the Candidate Release repository into the EMI Production repository, the signing of the packages will take place:
  • copy the packages from the Candidate Release repository to the signing-dedicated-machine
  • disconnect the signing-dedicated-machine from the network
  • restore the key from the back-up
        gpg --import certifkey.key
  • import the public key to the RPM DB and add to the ~/.rpmmacros file the following information
        %_signature gpg
        %_gpg_path /path/to/key_dir/
        %_gpg_name  <Name which is in the gpg key>
  • if package was not signed before
        # rpm --addsign *.rpm
  • or overwrite and re-sign the package
        # rpm --resign *.rpm
  • verify the signatures
    • check that the public key is in the RPM database:
        rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
    • check the rpm
        rpm -K package.rpm
  • remove the keys
  • reconnect the signing-dedicated-machine to the network and copy the package in the EMI production repository

How to verify the signed packages

When you would like to check digital signature, you need to import the public key into the RPM database:
        wget http://.../RPM-GPG-KEY-emi
        rpm --import RPM-GPG-KEY-emi
To check that the public key has really been imported use the command
        rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
To check the signed packages use the command:
        rpm -K package.rpm


  1. How to sign your custom RPM package with GPG Key
  2. RPM signing howto
  3. GPG HowTos
  4. GPG FAQ
  5. The Strong Distribution Model

-- DoinaCristinaAiftimiei - 03-May-2011

Edit | Attach | Watch | Print version | History: r9 < r8 < r7 < r6 < r5 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r9 - 2014-05-27 - DoinaCristinaAiftimiei
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EMI All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback