-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathchelon.spec
More file actions
142 lines (115 loc) · 4.04 KB
/
chelon.spec
File metadata and controls
142 lines (115 loc) · 4.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
Name: chelon
Version: 1.0.0
Release: 12%{?dist}
Summary: Remote GPG package signing service
License: GPL-2.0-or-later
Vendor: Atomicorp, Inc.
Packager: Atomicorp, Inc.
URL: https://www.atomicorp.com
Source0: %{name}-%{version}.tar.gz
BuildArch: noarch
%description
Chelon is a secure remote signing service for RPM packages and repository
metadata. Build servers send package hashes to Chelon via HTTPS API and
receive GPG signatures in response, eliminating the need for private keys on
build infrastructure.
This is a meta-package that can install both server and client components.
#
# Server subpackage
#
%package server
Summary: Chelon signing service server
Requires: python3
Requires: python3-flask
Requires: python3-gnupg
Requires: python3-pydantic
Requires: gnupg2
Requires: systemd
Requires(pre): shadow-utils
# Prevent auto-generated requires for user/group (we create them in %pre)
%global __requires_exclude ^(user|group)\\(chelon\\)$
Provides: user(chelon)
Provides: group(chelon)
%description server
Chelon signing service server component. This package contains the signing
service daemon, systemd unit, and admin tools for managing tokens and audit logs.
Install this package on the signing server (e.g., gamera).
#
# Client subpackage
#
%package client
Summary: Chelon signing client tools
Requires: python3
%description client
Chelon signing client tools. This package contains command-line tools for
signing RPM packages and repository metadata using a remote Chelon service.
Install this package on build servers and workstations that need to sign packages.
%prep
%setup -q
%build
# Nothing to build - pure Python
%install
# Create directory structure
install -d %{buildroot}%{_bindir}
install -d %{buildroot}%{_datadir}/%{name}/server
install -d %{buildroot}%{_datadir}/%{name}/client
install -d %{buildroot}%{_sysconfdir}/%{name}
install -d %{buildroot}%{_unitdir}
install -d %{buildroot}%{_localstatedir}/lib/%{name}
# Install server files
install -m 755 server/chelon-service.py %{buildroot}%{_datadir}/%{name}/server/
install -m 644 server/signing_engine.py %{buildroot}%{_datadir}/%{name}/server/
install -m 644 server/auth.py %{buildroot}%{_datadir}/%{name}/server/
install -m 644 server/audit.py %{buildroot}%{_datadir}/%{name}/server/
# Install server admin tool
install -m 755 tools/chelon-admin %{buildroot}%{_bindir}/
# Install client tools
install -m 755 tools/chelon-sign %{buildroot}%{_bindir}/
install -d %{buildroot}%{python3_sitelib}
install -m 644 tools/chelon_client.py %{buildroot}%{python3_sitelib}/
# Install systemd unit
install -m 644 systemd/chelon.service %{buildroot}%{_unitdir}/
# Install default config
install -m 600 config/chelon.conf %{buildroot}%{_sysconfdir}/%{name}/
#
# Server scriptlets
#
%pre server
# Create chelon user if it doesn't exist
getent group chelon >/dev/null || groupadd -r chelon
getent passwd chelon >/dev/null || \
useradd -r -g chelon -d %{_localstatedir}/lib/%{name} -s /sbin/nologin \
-c "Chelon signing service" chelon
exit 0
%post server
%systemd_post chelon.service
# Fix ownership of data directory
chown -R chelon:chelon %{_localstatedir}/lib/%{name} 2>/dev/null || true
%preun server
%systemd_preun chelon.service
%postun server
%systemd_postun_with_restart chelon.service
# Only remove user if package is being erased (not upgraded)
if [ $1 -eq 0 ]; then
userdel chelon 2>/dev/null || true
groupdel chelon 2>/dev/null || true
fi
#
# File lists
#
%files server
%doc README.md
%{_datadir}/%{name}/server/
%{_bindir}/chelon-admin
%{_unitdir}/chelon.service
%attr(0750,root,chelon) %dir %{_sysconfdir}/%{name}
%attr(0600,chelon,chelon) %config(noreplace) %{_sysconfdir}/%{name}/chelon.conf
%attr(0750,chelon,chelon) %dir %{_localstatedir}/lib/%{name}
%files client
%doc README.md
%{_bindir}/chelon-sign
%{python3_sitelib}/chelon_client.py
%{python3_sitelib}/__pycache__/
%changelog
* Thu Jan 08 2026 Atomicorp <support@atomicorp.com> - 1.0.0-12
- Initial release