Merfi can only sign Debian package repositories. We should make it search for RPM repositories and sign those, too.
Sign RPMs
Currently our shell script searches the tree for any file named .rpm, and checks for an existing signature, like rpm -qi -p $rpm 2>/dev/null | grep ^Signature
If that signature matches our key ID, then we assume the RPM has already been signed, and we skip it and move to the next one. If the Signature field is not present, or it does not match our key ID, then we sign the RPM (and move on to the next one, repeating the process).
Lastly, we need to re-run createrepo after we do this, because we're altering the RPM files' checksums whenever we change the signatures.
Sign yum's repomd.xml as repomd.xml.asc:
This is relatively straightforward. After we've completed the above steps of rpm --addsign * and createrepo, just detach-sign the repomd.xml file:
Merfi can only sign Debian package repositories. We should make it search for RPM repositories and sign those, too.
Sign RPMs
Currently our shell script searches the tree for any file named
.rpm
, and checks for an existing signature, likerpm -qi -p $rpm 2>/dev/null | grep ^Signature
If that signature matches our key ID, then we assume the RPM has already been signed, and we skip it and move to the next one. If the Signature field is not present, or it does not match our key ID, then we sign the RPM (and move on to the next one, repeating the process).
Lastly, we need to re-run
createrepo
after we do this, because we're altering the RPM files' checksums whenever we change the signatures.Sign yum's
repomd.xml
asrepomd.xml.asc
:This is relatively straightforward. After we've completed the above steps of
rpm --addsign *
andcreaterepo
, just detach-sign therepomd.xml
file: