Hey Adrian Schröter, Thanks for your reply, I have a few more questions regarding the singing service and your suggestion.
Alternative is configure your own signing script. You can do so via the
$sign variable in your BSConfig.pm of the backend configuration.
I can't find any document on how to do this, but with a quick code search this is my understanding:
singing service in obs is running in a separated daemon which is named signd service and OBS backend use /usr/bin/sign command to communicating with this server, therefore if we need to integrate external signing service, we should develop our version of sign command util which act the same as below:
usage: sign [-v] [options]
sign [-v] -c <file> [-u user] [-h hash]: add clearsign signature
sign [-v] -d <file> [-u user] [-h hash]: create detached signature
sign [-v] -r <file> [-u user] [-h hash]: add signature block to rpm
sign [-v] -a <file> [-u user] [-h hash]: add signature block to appimage
sign [-v] -k [-u user] [-h hash]: print key id
sign [-v] -p [-u user] [-h hash]: print public key
sign [-v] -g <type> <expire> <name> <email>: generate keys
sign [-v] -x <expire> <pubkey>: extend pubkey
sign [-v] -C <pubkey>: create certificate
sign [-v] -t: test connection to signd server
or we can also hard code the signd service itself?
Second, for the rpm signature, there are two different versions v3, v4 [1] and for our OBS instance, I think the v3 signature is generated, so my question is can we configure signing a v4 signature instead of v3? is there any performance difference between these two?
Third, how openSUSE deployed the signing service, I found there is a detached signing machine suggestion on document [2] for the concern of safety, so this is my question: is this the way openSUSE deploy the signing service in a production environment? or openSUSE also configured a HSM solution for singing service?
Thanks
TommyLike