On Mittwoch, 17. August 2022, 17:05:19 CEST TommyLike Hu wrote:
Hey Adrian Schröter, Thanks for your reply, I have a few more questions regarding the singing service and your suggestion.
Alternative is configure your own signing script. You can do so via the
$sign variable in your BSConfig.pm of the backend configuration.
I can't find any document on how to do this, but with a quick code search this is my understanding: singing service in obs is running in a separated daemon which is named signd service and OBS backend use /usr/bin/sign command to communicating with this server, therefore if we need to integrate external signing service, we should develop our version of sign command util which act the same as below:
yes, you would basically replace the sign call with your own implementation. It is up to you then how to support your concrete HSM. The $sign variable needs to point to your executable then.
usage: sign [-v] [options]
sign [-v] -c <file> [-u user] [-h hash]: add clearsign signature sign [-v] -d <file> [-u user] [-h hash]: create detached signature sign [-v] -r <file> [-u user] [-h hash]: add signature block to rpm sign [-v] -a <file> [-u user] [-h hash]: add signature block to appimage sign [-v] -k [-u user] [-h hash]: print key id sign [-v] -p [-u user] [-h hash]: print public key sign [-v] -g <type> <expire> <name> <email>: generate keys sign [-v] -x <expire> <pubkey>: extend pubkey sign [-v] -C <pubkey>: create certificate sign [-v] -t: test connection to signd server
or we can also hard code the signd service itself?
signd is used by the sign client. You may not want to use all this and do your own. Or play with the very latested version of sign/signd instead as I wrote before.
Second, for the rpm signature, there are two different versions v3, v4 [1] and for our OBS instance, I think the v3 signature is generated, so my question is can we configure signing a v4 signature instead of v3? is there any performance difference between these two?
sign supports both, it is a CLI argument (-4). I am not sure atm if rpm handles v4 well, it is only used for Arch packages IIRC.
Third, how openSUSE deployed the signing service, I found there is a detached signing machine suggestion on document [2] for the concern of safety, so this is my question: is this the way openSUSE deploy the signing service in a production environment? or openSUSE also configured a HSM solution for singing service?
We will use HSM in future, just struggeling with performance issues atm.
Thanks TommyLike
[1]: https://www.redhat.com/en/blog/securing-rpm-signing-keys [2]: https://en.opensuse.org/openSUSE:Build_Service_Signer#Detached_signer_machin...
On Tue, Aug 16, 2022 at 7:49 PM Adrian Schröter <adrian@suse.de> wrote:
On Dienstag, 16. August 2022, 13:14:27 CEST TommyLike Hu wrote:
Hey everyone, We are using open build service as our RPM package builder, and we are wondering whether we can integrate the external signing service (HSM) into OBS as a signing plugin now?
you may use latested version of the sign service (from OBS:Server:Unstable), however that one may still have some performance problems.
Alternative is configure your own signing script. You can do so via the $sign variable in your BSConfig.pm of the backend configuration.
--
Adrian Schroeter <adrian@suse.de> Build Infrastructure Project Manager
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany (HRB 36809, AG Nürnberg) Geschäftsführer: Ivo Totev
-- Adrian Schroeter <adrian@suse.de> Build Infrastructure Project Manager SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany (HRB 36809, AG Nürnberg) Geschäftsführer: Ivo Totev