Mailinglist Archive: opensuse-buildservice (45 mails)

< Previous Next >
[opensuse-buildservice] [obs-signd] need advice about gpg key generation

I'm looking for an advice with key generation for obs-signd. We would run it independently from OBS. ( we want to utilize obs-signd
for package signing at Copr -

If I understand correctly, OBS manages user key outsides from obs-signd,
and provides private[public] keys directly to /bin/sign. At our service we want to minimize
key manamement, keep secrets on secured machine (where singd runs) and
avoid sending secrets through network.

Here is our (future) setup:

host-0: secure machine where key-pairs is stored in /root/.gnupg/
it runs:
- [A] perl signd
- [B] small httpd service which generates new key-pairs into the keyring and write generated passphrases to /root/.phrases/

host-1: backend where builds occurs and result rpms are signed
by invocation of /bin/sign [C]

[C] is configured by /etc/sign.conf to access [A] at host-0

When user `foo` builds first package, service [B] will be invocked and
passphrase will be added to /root/.phrases/ and keys will be added to keyring, so that [A] can sign packages for user `foo` without recieving keys through network.

[C] will be used:
* To sign rpm
[@host-1]:# sign -u foo@xxxxxxxxxxx target.rpm
* To obtain public key for user:
[@host-1]:# sign -u foo@xxxxxxxxxxx -p

Please, tell if this design makes sense or how should it be changed.

Additional question:
Do we really need to protect keys with passhrases on [host-0]?
Private keys should never leave keyring at that machine.

Best regards,
Gologuzov Valentin.
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups