Mailinglist Archive: opensuse-buildservice (349 mails)

< Previous Next >
Re: [opensuse-buildservice] How can i setup package signing on local obs?
  • From: Carsten Schoene <cs@xxxxxxxxxxxxxxxxxxxxxxx>
  • Date: Fri, 23 Nov 2007 17:45:29 +0100
  • Message-id: <474703A9.9090709@xxxxxxxxxxxxxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

thanks for your help, works great ;)


Michael Schroeder schrieb:
On Fri, Nov 23, 2007 at 03:41:34PM +0100, Carsten Schoene wrote:
Hello,

can someone explain how to setup the signd & sign program on a local bs
setup?

I got the daemon running, and the sign program connects but than hangs,
while the signd starts some subprocesses and nothing happens.

Hmm, it shouldn't hang, might be some obscure bug in signd.

I'm not sure where to place the key files used for signing, maybe someone
can bring some light into the darkness ;)

The setup is like this:

You have a host where the build service runs on and another host
(high security) that only runs the signd deamon and nothing else.
This host is typically on some dedicated network so that it can
only be reached by the build service. And sshd and the like is
turned of, so that you need console access if you want in.
This is because the host contains the private keys plus the
passphrases, you do not want that someone can obtain this
sensitive information.

Configuration is like this

/etc/sign.conf for the build service host:

server: <private ip>
user: buildservice@xxxxxxxxxx
allowuser: bsrun

/etc/sign.conf for the sign server:

allow: <ip of build service>
phrases: /root/.phrases

The /root/.phrases directory should contain a "buildservice@xxxxxxxxxx"
file containing the needed passphrase.
The installed gpg must include the "patches-are-digest" patch, gpg
from SL10.2 works. (Unfortunately 10.3 ships with gpg2, which doesn't
include the patch yet.)

Cheers,
Michael.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFHRwOo6NfbfHY52TsRAvasAKCDPDbo2ySSgNgZKs5tV7W9U/zCSwCeJFq2
Sk6Dytm55LQ6UNNuubAMw4Y=
=BnwN
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >