Skip to content

Comments

Bug 2009927 - Add support for RPM files to signingscript#1353

Merged
Eijebong merged 5 commits intomozilla-releng:masterfrom
Eijebong:rpmsign
Feb 24, 2026
Merged

Bug 2009927 - Add support for RPM files to signingscript#1353
Eijebong merged 5 commits intomozilla-releng:masterfrom
Eijebong:rpmsign

Conversation

@Eijebong
Copy link
Contributor

@Eijebong Eijebong commented Feb 13, 2026

This makes use of autograph's /sign/files route (mozilla-services/autograph#1187) to sign RPM packages.

@Eijebong Eijebong requested a review from a team as a code owner February 13, 2026 15:00
@Eijebong
Copy link
Contributor Author

Eijebong commented Feb 13, 2026

Try push: https://treeherder.mozilla.org/jobs?repo=try&revision=df13fc9c2c6018f831178316a3c5be24e77361cc&selectedTaskRun=WilussP-SPe-pfA_RmK2dw.0

hneiva
hneiva approved these changes Feb 13, 2026
View reviewed changes
Copy link
Contributor

@hneiva hneiva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

few nits, nothing blocking.
LGTM

jcristau
jcristau approved these changes Feb 13, 2026
View reviewed changes
Copy link
Contributor

@jcristau jcristau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we be exposing the public key for this alongside the signed packages?

@Eijebong Eijebong requested a review from jcristau February 20, 2026 17:04
@Eijebong Eijebong enabled auto-merge (rebase) February 24, 2026 10:19
@Eijebong
Add support for autograph /sign/files multi-file encoding
d246bf3 
Refactor write_signing_req_to_disk to support both single-file and
multi-file signing requests. This was mostly lifted off of the old
debsign implementation (934d772) but I
fixed it to not have an intermediate allocation with the entire file
content (since that's precisely what the code tries to avoid...).

Also extends make_signing_req and sign_with_autograph to accept a
"files" autograph method, passing a list of file objects instead of a
single input.
@Eijebong
Add support for RPM signing
17fc62f 
RPM signing uses autograph's `/sign/files` route but despite it
supporting multiple files at once we currently only support signing one
file at a time because signingscript doesn't have explicit support for
multi file signing. I didn't want to add to the problem (mozilla-releng#980) so I
decided to just go with it for now.
@Eijebong
Add the rpmsign stage autograph signer config
83d7771
@Eijebong
Add rpm signingscript dep configuration
013a2b1
@Eijebong
Add rpm signingscript rel configuration
66a0700
@Eijebong Eijebong merged commit ee9ea3c into mozilla-releng:master Feb 24, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hneiva hneiva hneiva approved these changes

@jcristau jcristau jcristau approved these changes

Assignees

No one assigned

Labels

signingscript

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Eijebong @hneiva @jcristau