Great thanks! Now I understand how obs-signd used in OBS :) . On 09/09/2014 02:14 PM, Michael Schroeder wrote: <skipped>
Makes sense. We do it a bit different in OBS, though. We don't store the users' secret keys on our sign server, but instead encrypt them with a dedicated OBS key. The advantage is that the encrypted private keys can be stored and backuped like regular data, as you need access to the secret OBS key to decrypt them (which is only stored on the sign server). The disadvantage is that an intruder can use any stored key to sign rpms (but he can't copy the private key away and do more damage).
So for build.opensuse.org we actually have two security levels. For most things we store the encrypted private key on the host, but there are a couple of keys like the opensuse key that are only stored in the sign server (and were created manually).
Example:(copr@example.com is the dedicated key that needs to exist on the sign host)
- create a new key: [@host-1]:# sign -u copr@example.com -P foo.priv -g rsa@2048 800 foo foo@example.com > foo.pub
- sign rpm: [@host-1]:# sign -u copr@example.com -P foo.priv target.rpm
Additional question: Do we really need to protect keys with passhrases on [host-0]? Private keys should never leave keyring at that machine.
I don't think you need passphrases. They don't help much if they can be read from the filesystem anyway...
Cheers, Michael.
-- Best regards, Gologuzov Valentin. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org