Hi Christian, On Tue, 2020-04-21 at 09:17 +0200, Christian wrote:
Not unless you use BSConfig::project_sign setting.
Not sure what you mean, but currently using (BSConfig.pm:
#No package signing server our $sign = "/usr/bin/sign"; #Extend sign call with project name as argument "--project $NAME" #our $sign_project = 1;
Oops! I actually meant, $sign_project.
based on my above config I guess that's why I don't have a '_pubkey' there and further guessing that this project will then get a new 'project based' GPG and SSL key/cert
As I mentioned earlier, you could copy your /srv/obs/Wittmer_Software.asc over to /srv/obs/projects/$PROJECT.pkg/_pubkey and then run "osc signkey --sslcert -- create $PROJECT" to create a _sslcert file signed using the _pubkey. BTW, you still need to make sure that all your projects have a _pubkey file in their corresponding /srv/obs/projects/$PROJECT.pkg/ directory or else, local builds using "osc build" will fail when RPMs are verified. This is what we have to do for every new project we create.
How can I achieve that every built package (except the kernel stuff) is signed by my global GPG key ?
In the same project? Not possible, from what I know. You could however, build kernel stuff in a separate project and use those binaries in your package.
I guess the SSL cert is a 'self-signed' one ... how is it trustworthy later ?
Disclaimer: I'm not an expert. I could be saying something incomplete and even incorrect. For this to work correctly, you need to build the entire bootloader stack - shim, grub2, kernel, etc. - with your SSL certificate. For secure boot to succeed, your SSL certificate will need to be signed by Microsoft - as explained by coolo on the other thread [1]. But adding your "self-signed" certificate to EFI's shell (using MOKUtil), at least, lets everything above the EFI shell know that it can be trusted - to some extent. Regards, Srinidhi. [1] https://lists.opensuse.org/opensuse-buildservice/2020-04/msg00080.html