Signs release files

rpm-sign, gpg, release, binaries
pip install merfi==1.3.4



A helper tool to quickly crawl a file system and sign commonly used files for repositories, with gpg, rpm-sign, and any other similar tool.

"a tool called "merfi" ... what could possibly go wrong?"


For rpm-sign, the default operation will just crawl the filesystem looking for Debian repositories containing Release files. When the proper Release file is found, merfi will proceed to sign the file like:

$ merfi rpm-sign --key "mykey"
--> signing: /Users/alfredo/repos/debian/dists/trusty/Release
--> signed: /Users/alfredo/repos/debian/dists/trusty/Release.gpg
--> signed: /Users/alfredo/repos/debian/dists/trusty/InRelease

Like all the other supported backends, it will crawl from the current working directory unless a path is specified:

$ merfi rpm-sign --key "mykey" /opt/packages

What is really doing behind the scenes is using rpm-sign like this:

rpm-sign --key "mykey" --detachsign Release --output Release.gpg
rpm-sign --key "mykey" --clearsign Release > InRelease

You can also specify a --keyfile argument to rpm-sign. This will cause merfi to copy this GPG public key as release.asc to the root of each repository:

$ merfi rpm-sign --key "mykey" --keyfile /etc/RPM-GPG-KEY-testing /opt/packages

This feature is designed for Ceph's ISO installer (ceph-ansible), because it expects the GPG public key to be present in this location.

If you are running the rpm-sign command on a computer that is behind a NAT, you must pass the --nat argument, like so:

$ merfi rpm-sign --nat --key "mykey"


GPG support is similar to rpm-sign in that merfi will crawl a path (defaults to the current working directory) looking for Debian repositories, and sign the appropriate Release files:

$ merfi gpg --> signing: /Users/alfredo/repos/debian/dists/trusty/Release --> signed: /Users/alfredo/repos/debian/dists/trusty/Release.gpg --> signed: /Users/alfredo/repos/debian/dists/trusty/InRelease

Behind the scenes the tool is running gpg like:

gpg --armor --detach-sig --output Release.gpg Release
gpg --clearsign --output InRelease Release


merfi can generate an ISO from a tree of package repositories:

$ merfi iso /opt/packages --output my-dvd.iso

This will generate two files, my-dvd.iso and my-dvd.iso.SHA256SUM. You can verify the ISO file's integrity by passing the checksum file to the sha256sum -c command:

$ sha256sum -c my-dvd.iso.SHA256SUM
my-dvd.iso: OK

About the name

"Firme" is the Spanish word for "sign" and "merfi" is the Peruvian slang for it.