Signs release files
A helper tool to quickly crawl a file system and sign commonly used files for repositories, with gpg, rpm-sign, and any other similar tool.
“a tool called “merfi” … what could possibly go wrong?”
For rpm-sign, the default operation will just crawl the filesystem looking for Debian repositories containing Release files. When the proper Release file is found, merfi will proceed to sign the file like:
$ merfi rpm-sign --key "mykey" --> signing: /Users/alfredo/repos/debian/dists/trusty/Release --> signed: /Users/alfredo/repos/debian/dists/trusty/Release.gpg --> signed: /Users/alfredo/repos/debian/dists/trusty/InRelease
Like all the other supported backends, it will crawl from the current working directory unless a path is specified:
$ merfi rpm-sign --key "mykey" /opt/packages
What is really doing behind the scenes is using rpm-sign like this:
rpm-sign --key "mykey" --detachsign Release --output Release.gpg rpm-sign --key "mykey" --clearsign Release > InRelease
You can also specify a --keyfile argument to rpm-sign. This will cause merfi to copy this GPG public key as release.asc to the root of each repository:
$ merfi rpm-sign --key "mykey" --keyfile /etc/RPM-GPG-KEY-testing /opt/packages
This feature is designed for Ceph’s ISO installer (ice-setup), because it expects the GPG public key to be present in this location.
GPG support is similar to rpm-sign in that merfi will crawl a path (defaults to the current working directory) looking for Debian repositories, and sign the appropriate Release files:
$ merfi gpg –> signing: /Users/alfredo/repos/debian/dists/trusty/Release –> signed: /Users/alfredo/repos/debian/dists/trusty/Release.gpg –> signed: /Users/alfredo/repos/debian/dists/trusty/InRelease
Behind the scenes the tool is running gpg like:
gpg --armor --detach-sig --output Release.gpg Release gpg --clearsign --output InRelease Release
merfi can generate an ISO from a tree of package repositories:
$ merfi iso /opt/packages --output my-dvd.iso
This will generate two files, my-dvd.iso and my-dvd.iso.SHA256SUM. You can verify the ISO file’s integrity by passing the checksum file to the sha256sum -c command:
$ sha256sum -c my-dvd.iso.SHA256SUM my-dvd.iso: OK
About the name
“Firme” is the Spanish word for “sign” and “merfi” is the Peruvian slang for it.
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.