This includes both a driver (to be identified by backend = “calligrabot” in robosignatory.toml) and a wrapper script (installed as /usr/bin/calligrabot) that the driver runs--which in turn runs rpm-sign.
A bunch of caveats:
I did a lot of guesswork in implementing this since I don’t have access to the signer, or the signing tools, or have the necessary permissions. That isn't a bad thing--but a lot of adjustments are probably needed!
There are likely some authentication issues that I can’t test for.
The wrapper script currently reads its configuration from a new configuration file, /etc/calligrabot/client.conf. If desired, the code could be updated to pull its configuration from extra properties added to the [consumer_config.koji_instances.*] section(s) in the existing /etc/fedora-messaging/robosignatory.toml config file.
The code currently uses koji command line operations. This can be made more efficient by figuring out how to use the koji API directly.
As far as I can tell, calls to rpm-sign reference signing keys by name, not by ID--so robosignatory.toml may need to be updated to reference the key names, or more work is needed to have the wrapper script map the key ID to key name before invoking rpm-sign.
This includes both a driver (to be identified by
backend = “calligrabot”inrobosignatory.toml) and a wrapper script (installed as/usr/bin/calligrabot) that the driver runs--which in turn runsrpm-sign.A bunch of caveats:
/etc/calligrabot/client.conf. If desired, the code could be updated to pull its configuration from extra properties added to the[consumer_config.koji_instances.*]section(s) in the existing/etc/fedora-messaging/robosignatory.tomlconfig file.kojicommand line operations. This can be made more efficient by figuring out how to use the koji API directly.rpm-signreference signing keys by name, not by ID--sorobosignatory.tomlmay need to be updated to reference the key names, or more work is needed to have the wrapper script map the key ID to key name before invokingrpm-sign.