Hi, I'm looking for an advice with key generation for obs-signd. We would run it independently from OBS. ( we want to utilize obs-signd for package signing at Copr - http://fedorahosted.org/copr). If I understand correctly, OBS manages user key outsides from obs-signd, and provides private[public] keys directly to /bin/sign. At our service we want to minimize key manamement, keep secrets on secured machine (where singd runs) and avoid sending secrets through network. Here is our (future) setup: host-0: secure machine where key-pairs is stored in /root/.gnupg/ it runs: - [A] perl signd - [B] small httpd service which generates new key-pairs into the keyring and write generated passphrases to /root/.phrases/ host-1: backend where builds occurs and result rpms are signed by invocation of /bin/sign [C] [C] is configured by /etc/sign.conf to access [A] at host-0 When user `foo` builds first package, service [B] will be invocked and passphrase will be added to /root/.phrases/ and keys will be added to keyring, so that [A] can sign packages for user `foo` without recieving keys through network. [C] will be used: * To sign rpm [@host-1]:# sign -u foo@example.com target.rpm * To obtain public key for user: [@host-1]:# sign -u foo@example.com -p Please, tell if this design makes sense or how should it be changed. Additional question: Do we really need to protect keys with passhrases on [host-0]? Private keys should never leave keyring at that machine. -- Best regards, Gologuzov Valentin. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org