Skip to content
This repository was archived by the owner on Jan 9, 2026. It is now read-only.

Signing packages

Jump to bottom
Timotheus Pokorra edited this page Apr 5, 2016 · 6 revisions

Signing with Public/Private Key GPG

You need to create a pair of public and private keys with GnuPG.

# generate the keys
gpg --gen-key
# export the public key
gpg --armor --output publicLBS.gpg --export "Timotheus Pokorra (LBS auto signing) <release@solidcharity.com>"
# export the private key
gpg --armor --output privateLBSkey --export-secret-keys "Timotheus Pokorra (LBS auto signing) <release@solidcharity.com>"
# list the keys so that you know the key id (in my situation the key is is 4E1220C3)
gpg --list-keys
# publish the public key to a central key server
gpg --keyserver pgp.mit.edu --send-key 4E1220C3

In your project in the /etc/lightbuildserver/config.yml, you should insert a line similar to this:

PublicKey: http://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0x4796B710919684AC

This will add instructions to your package so that the users will know where to download your public key.

Signing RPMs

Create a file /etc/lightbuildserver/container/<username>/<projectname>/privateLBSkey. It should be owned by user uwsgi. It is a private key generated with gnupg. The public key should be published on the wellknown key servers.

You also need a file /etc/lightbuildserver/container/<username>/<projectname>/rpmmacros, also owned by user uwsgi

%_signature gpg
%_gpg_path /root/.gnupg
%_gpg_name YourName (LBS auto signing) <release@example.org>
%_gpgbin /usr/bin/gpg

%__gpg_sign_cmd %{__gpg} \
    gpg --force-v3-sigs --digest-algo=sha1 --batch --no-verbose --no-armor \
    --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" \
    -sbo %{__signature_filename} %{__plaintext_filename}

For the implementation details, see https://github.com/SolidCharity/LightBuildServer/blob/master/lib/BuildHelperCentos.py#L187

Signing Debian packages

Create a file /etc/lightbuildserver/container/<username>/<projectname>/privateLBSkey. It should be owned by user uwsgi. It is a private key generated with gnupg. The public key should be published on the wellknown key servers.

You also need a file /etc/lightbuildserver/container/<username>/<projectname>/distributions, also owned by user uwsgi

Origin: Packages Useful for LBS
Label: Packages Useful for LBS
Codename: trusty
Architectures: amd64
Components: main
Description: Apt repository for LBS packages
SignWith: 919684AC

For the implementation details, see https://github.com/SolidCharity/LightBuildServer/blob/master/lib/BuildHelperDebian.py#L205

Clone this wiki locally