Hi Srinidhi, Am 20.04.20 um 21:41 schrieb Srinidhi B:
Hi Christian,
is it possible to have a global SSL certificate like I do have already with the GPG key ?
Not unless you use BSConfig::project_sign setting. Not sure what you mean, but currently using (BSConfig.pm:
#No package signing server our $sign = "/usr/bin/sign"; #Extend sign call with project name as argument "--project $NAME" #our $sign_project = 1; #Global sign key our $keyfile = "/srv/obs/Wittmer_Software.asc"; our $gpg_standard_key = "/srv/obs/Wittmer_Software.asc";
You could do one thing (although, I'm not sure whether this is a good recommendation):
As I already shared which files are necessary per project, just copy your global key as /srv/obs/projects/$PROJECT.pkg/_pubkey and similarly, your certificate as _sslkey. Do remember that you need to do this for *each* project where you are building kernel stuff.
will this command also create a GPG key for that project or only the SSL certificate ?
It won't create a GPG key pair if you already have a GPG key (that _pubkey file) for that project. The SSL certificate is *signed* using your GPG pubkey. Hence, a GPG key pair is created if it doesn't exist before creating a SSL certificate.
based on my above config I guess that's why I don't have a '_pubkey' there and further guessing that this project will then get a new 'project based' GPG and SSL key/cert How can I achieve that every built package (except the kernel stuff) is signed by my global GPG key ?
Why do 'kernel stuff' need to have a x509 cert for signing, while for other packages it is fine to have just a GPG key ?
It is needed by pesign (the "second build" that you observed earlier) to sign the kernel (and kernel modules) with the same key so that kernel is not tainted when booting in secure mode (or even in case of trusted boot).
I guess the SSL cert is a 'self-signed' one ... how is it trustworthy later ? -- Christian ------------------------------------------------------------ https://join.worldcommunitygrid.org?recruiterId=177038 ------------------------------------------------------------ http://www.sc24.de - Sportbekleidung ------------------------------------------------------------