s show SUITE show config details for a suite
s add SUITE VERSION [ label=LABEL ] [ description=DESCRIPTION ]
[ origin=ORIGIN ] [ codename=CODENAME ]
- add suite SUITE, version VERSION. label,
- description, origin and codename are optional.
+ [ signingkey=SIGNINGKEY ]
+ add suite SUITE, version VERSION.
+ label, description, origin, codename
+ and signingkey are optional.
s add-all-arches SUITE VERSION... as "s add" but adds suite-architecture
relationships for all architectures
suite.description = get_field('description')
suite.origin = get_field('origin')
suite.codename = get_field('codename')
+ signingkey = get_field('signingkey')
+ if signingkey is not None:
+ suite.signingkeys = [signingkey.upper()]
s.add(suite)
s.flush()
except IntegrityError, e:
target = os.path.join(Cnf["Dir::Morgue"], Cnf[config_name])
do_dir(target, config_name)
+def process_keyring(fullpath, secret=False):
+ """Create empty keyring if necessary."""
+
+ if os.path.exists(fullpath):
+ return
+
+ keydir = os.path.dirname(fullpath)
+
+ if not os.path.isdir(keydir):
+ print "Creating %s ..." % (keydir)
+ os.makedirs(keydir)
+ if secret:
+ # Make sure secret keyring directories are 0700
+ os.chmod(keydir, 0700)
+
+ # Touch the file
+ print "Creating %s ..." % (fullpath)
+ file(fullpath, 'w')
+ if secret:
+ os.chmod(fullpath, 0600)
+ else:
+ os.chmod(fullpath, 0644)
+
######################################################################
def create_directories():
suite_suffix = "%s" % (Cnf.Find("Dinstall::SuiteSuffix"))
+ # Process secret keyrings
+ if Cnf.has_key('Dinstall::SigningKeyring'):
+ process_keyring(Cnf['Dinstall::SigningKeyring'], secret=True)
+
+ if Cnf.has_key('Dinstall::SigningPubKeyring'):
+ process_keyring(Cnf['Dinstall::SigningPubKeyring'], secret=True)
+
+ # Process public keyrings
+ for keyring in session.query(Keyring).all():
+ process_keyring(keyring.keyring_name)
+
# Process pool directories
for component in session.query(Component):
directory = os.path.join( Cnf['Dir::Pool'], component.component_name )
//// KeyAutoFetch (optional): boolean (default: false), which if set (and
//// not overriden by explicit argument to check_signature()) will enable
- //// auto key retrieval. Requires KeyServer and SigningKeyIds variables be
+ //// auto key retrieval. Requires KeyServer variable be
//// set. NB: you should only enable this variable on production systems
//// if you have strict control of your upload queue.
// KeyAutoFetch "false";
# mkdir ~dak/bin
# ln -s /path/to/dak.py ~dak/bin/dak
+Set up a private signing key
+# gpg --no-default-keyring --secret-keyring /srv/dak/keyrings/s3kr1t/dot-gnupg/secring.gpg --keyring /srv/dak/keyrings/s3kr1t/dot-gnupg/pubring.gpg --gen-key
+Remember the signing key id for when creating the suite below.
+Here we'll pretend it is DDDDDDDD for convenience
+
+Import some developer keys (here AAAAAAAA)
+# gpg --no-default-keyring --keyring /srv/dak/keyrings/upload-keyring.gpg --recv-key AAAAAAAA
+
Add some architectures you care about:
# dak admin architecture add i386 "Intel x86 port"
# dak admin architecture add amd64 "AMD64 port"
Add a suite (origin=, label= and codename= are optional)
-# dak admin suite add-all-arches unstable x.y.z origin=MyDistro label=Master codename=sid
+signingkey= will ensure that Release files are signed
+# dak admin suite add-all-arches unstable x.y.z origin=MyDistro label=Master codename=sid signingkey=DDDDDDDD
{
SigningKeyring "__DAKBASE__/keyrings/s3kr1t/dot-gnupg/secring.gpg";
SigningPubKeyring "__DAKBASE__/keyrings/s3kr1t/dot-gnupg/pubring.gpg";
- SigningKeyIds "__ARCHIVEKEYID__";
Options
{
projects / dak.git / commitdiff