From 96939ba985230e0691e3dcc2f683e95a8b7d9241 Mon Sep 17 00:00:00 2001 From: Dave Page Date: Thu, 21 May 2020 12:47:41 +0100 Subject: [PATCH] Add information to the Redhat README about signing RPMs, creating a repository and creating repo RPMs. --- pkg/redhat/README | 105 ++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 98 insertions(+), 7 deletions(-) diff --git a/pkg/redhat/README b/pkg/redhat/README index 0375b771d..3187b63a2 100644 --- a/pkg/redhat/README +++ b/pkg/redhat/README @@ -1,6 +1,12 @@ This directory contains the build runner script for creating .RPM packages for Redhat distributions. +Supported platforms +=================== + +Fedora 30, 31 & 32 +RHEL/CentOS 7 & 8 + Build configuration =================== @@ -39,13 +45,98 @@ pgadmin4-python3-mod_wsgi-4.7.1-2.el7..rpm The Python 3 build of mod_wsgi for the Apache HTTPD server. Only built on RHEL/CentOS 7. -Supported platforms -=================== +Signing Packages +================ -Fedora 30 & 31 -RHEL/CentOS 7 & 8 +It is good practice to sign RPMs to prove their provenance. The build scripts +included in this directory do NOT do that; doing so is done using a Jenkins +task in the pgAdmin buildfarm. -Warning -======= +If you want to sign your own RPMs, you'll first need to ensure that the +gnupg2 and rpmsign tools are available on your system. -These scripts are experimental - use at your own risk! +Then, create a .rpmmacros file in the home directory of the user account that +will be doing the signing. On Fedora 30 and later, and RHEL/CentOS 8 and later, +that should contain the following contents (without the start/end markers). +Replace with the email address in your key: + +--------- +%_signature gpg +%_gpg_path ~/.gnupg +%_gpg_name +%_gpgbin /usr/bin/gpg2 +%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename +} --digest-algo sha256 %{__plaintext_filename} +--------- + +On RHEL/CentOS 7, the .rpmmacros file should look like this: + +--------- +%_signature gpg +%_gpg_path ~/.gnupg +%_gpg_name Package Manager +%_gpgbin /usr/bin/gpg2 +%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__ +signature_filename} --digest-algo sha256 %{__plaintext_filename} +--------- + +Note that these configurations are designed for automated signing in a CI/CD +system. You may need to adjust them to handle passphrases on keys in your own +environment. + +You also need to import your signing private key into the gnupg2 keystore, for +example: + +gpg --import signing_key.priv + +Once everything is setup, RPMs can be signed easily; for example: + +rpmsign --addsign dist/*.rpm + +Building a repo +=============== + +A Yum repo can be created by building RPMs for the required platforms, moving +them into the required directory structure, and then running the createrepo tool +over that directory. The pgAdmin repos use the following structure: + + + redhat/ + rhel-7-x86_64/ + pgadmin4-4.21-1.el7.noarch.rpm + pgadmin4-desktop-4.21-1.el7.x86_64.rpm + pgadmin4-python3-mod_wsgi-4.7.1-2.el7.x86_64.rpm + pgadmin4-server-4.21-1.el7.x86_64.rpm + pgadmin4-web-4.21-1.el7.noarch.rpm + rhel-8-x86_64/ + <...> + fedora/ + <...> + pgadmin4-fedora-repo-1-1.noarch.rpm + pgadmin4-redhat-repo-1-1.noarch.rpm + README + +Note that only the first branches are shown above; other branches (e.g. for +Fedora and RHEL 8 follow the structure shown for RHEL 7. + +Technically there are multiple different repos, one for each platform and +architecture. The metadata can be created for each as follows: + +/usr/bin/createrepo /redhat/rhel-7-x86_64 +/usr/bin/createrepo /redhat/rhel-8-x86_64 +... + +Repository RPMs +=============== + +A script is provided for the creation of repo RPMs. It will create RPMs that +install the required Yum configuration file and the public signing key for +pgAdmin (you may want to replace the contents of PGADMIN_PKG_KEY with your own +public key): + +./repo-rpms.sh + +Set the PGADMIN_REPO_DIR environment variable to define the repository root +from the client's perspective. Given the example above, you might do: + +PGADMIN_REPO_DIR=https://yum.company.com/repos/ ./repo-rpms.sh