All, Thanks for the pointers here is where I'm at. I started to make changes in the local OBS because firefox 53 and chrome 58 no longer allow self signed certificates to be used. They have eliminated the option of adding security exceptions as a work around in their latest version. It's a good change from a security perspective but that impacted the interface to the repositories etc. I made all of those changes using an "unpublished" root certificate and certificate bundle so it doesn't add cost to running the OBS instance. I have delayed making changes to the key management as long as possible but I need to tighten down security and not put it off any longer. I created scripts that build all of the keys I need and modified the BSConfig.pm, sign.conf etc. Using gpg the key ids etc seem to be correct and install into the standard OBS phrases but I may have missed something the OBS checks. It looks like the obssignd comes up and runs properly with no issues using "systemctl status obssignd". One of the problems left is the obssigner. It simply fails with no indication of why, I have probably misconfigured something in all of the changes. I'm using "systemctl status obssigner" and starting to dig through the code for bs_signer. I'm open to suggestions on what might be wrong to get this done faster since package builds now hang in the signing process. The next issue will be adding links to download and manage different keys for each part of the deployment process. This section didn't go out to the list, operator error. ---------------------------------------------- The problem I found was the BSConfig.pm didn't copy correctly and the line our $sign = "/usr/bin/sign --project $NAME"; was missing. It would be a great help if bs_signer line 598 had something like die("sign program is not configured!\nCheck BSConfig:sign=\n") unless $BSConfig::sign;. In BSConfig.pm the comment says to add "our $sign = "/usr/bin/sign --project $NAME";", when configured this way the signer.log shows "Use of uninitialized value $BSConfig::NAME in concatenation (.) or string at /usr/lib/obs/server/BSConfig.pm line 153". Any idea what is the proper way to configure BSConfig.pm to support package, product and repository signing? So I took out that line and used "our $sign = "/usr/bin/sign" I tried to force a rebuild of all the packages in the OBS to ensure they were resigned by one of the new keys. $ osc rebuildpac --all In the signer log I get the following messages back to back. signing x86_64/{packagename}-e31bbd4d739a3637d3fc343a831c70e4 usage: sign [-c|-d|-r] [-u user] <file> I'm not sure where the configuration is failing. Any thoughts? Thx Steve On 5/5/2017 4:04 AM, Henne Vogelsang wrote:
Hey,
On 04.05.2017 18:51, Steve Hertz wrote:
I have been working to get all of the signing capabilities working on a local OBS instance. Are there any notes or documents anyone could share on getting this working?
man sign man signd man sign.conf
have helped me a lot recently...
Henne
-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org