On Fri, Nov 23, 2007 at 03:41:34PM +0100, Carsten Schoene wrote:
can someone explain how to setup the signd & sign program on a local bs setup?
I got the daemon running, and the sign program connects but than hangs, while the signd starts some subprocesses and nothing happens.
Hmm, it shouldn't hang, might be some obscure bug in signd.
I'm not sure where to place the key files used for signing, maybe someone can bring some light into the darkness ;)
The setup is like this:
You have a host where the build service runs on and another host (high security) that only runs the signd deamon and nothing else. This host is typically on some dedicated network so that it can only be reached by the build service. And sshd and the like is turned of, so that you need console access if you want in. This is because the host contains the private keys plus the passphrases, you do not want that someone can obtain this sensitive information.
Configuration is like this
/etc/sign.conf for the build service host:
server: <private ip> user: firstname.lastname@example.org allowuser: bsrun
/etc/sign.conf for the sign server:
allow: <ip of build service> phrases: /root/.phrases
The /root/.phrases directory should contain a "email@example.com" file containing the needed passphrase. The installed gpg must include the "patches-are-digest" patch, gpg from SL10.2 works. (Unfortunately 10.3 ships with gpg2, which doesn't include the patch yet.)