Hi Christian, On Mon, 2020-04-20 at 20:58 +0200, Christian wrote:
Hi,
Am 20.04.20 um 20:19 schrieb Srinidhi B:
Yes, this is why I had requested [1] you to run "osc signkey --sslcert -- create" command. This will create a SSL certificate for your project where you want to build your kernel / kernel module packages.
is it possible to have a global SSL certificate like I do have already with the GPG key ?
Not unless you use BSConfig::project_sign setting. You could do one thing (although, I'm not sure whether this is a good recommendation): As I already shared which files are necessary per project, just copy your global key as /srv/obs/projects/$PROJECT.pkg/_pubkey and similarly, your certificate as _sslkey. Do remember that you need to do this for *each* project where you are building kernel stuff.
will this command also create a GPG key for that project or only the SSL certificate ?
It won't create a GPG key pair if you already have a GPG key (that _pubkey file) for that project. The SSL certificate is *signed* using your GPG pubkey. Hence, a GPG key pair is created if it doesn't exist before creating a SSL certificate.
Why do 'kernel stuff' need to have a x509 cert for signing, while for other packages it is fine to have just a GPG key ?
It is needed by pesign (the "second build" that you observed earlier) to sign the kernel (and kernel modules) with the same key so that kernel is not tainted when booting in secure mode (or even in case of trusted boot). Regards, Srinidhi.