Mailinglist Archive: opensuse-buildservice (351 mails)

< Previous Next >
Re: [opensuse-buildservice] How can i setup package signing on local obs?
  • From: Christian <chris@xxxxxxxxxxxxxxxx>
  • Date: Wed, 02 Jul 2008 23:51:48 +0000
  • Message-id: <486C1494.1060908@xxxxxxxxxxxxxxxx>
Hi Michael,

is there a plan to provide "sign" with the obs-server RPM package ?
I did get it only while extracting it from SOURCE.

your talking about gpg2 and a patch. Do I have to build a newer gpg for SLES10 SP2 ?

Thanks for your help
Kind Regards
Chris

Michael Schroeder schrieb:
You have a host where the build service runs on and another host
(high security) that only runs the signd deamon and nothing else.
This host is typically on some dedicated network so that it can
only be reached by the build service. And sshd and the like is
turned of, so that you need console access if you want in.
This is because the host contains the private keys plus the
passphrases, you do not want that someone can obtain this
sensitive information.

Configuration is like this

/etc/sign.conf for the build service host:

server: <private ip>
user: buildservice@xxxxxxxxxx
allowuser: bsrun

/etc/sign.conf for the sign server:

allow: <ip of build service>
phrases: /root/.phrases

The /root/.phrases directory should contain a "buildservice@xxxxxxxxxx"
file containing the needed passphrase.
The installed gpg must include the "patches-are-digest" patch, gpg
from SL10.2 works. (Unfortunately 10.3 ships with gpg2, which doesn't
include the patch yet.)

Cheers,
Michael.

The setup is like this:
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups