[opensuse-buildservice] obs and signing
I've noted a slightly old thread where somebody asked about how to use obssigner or obssignd. However, the problem was that there wasn't any documentation; and there wasn't any discussion on how to set up the signer. I'd be more than willing to help document the process on the build service wikis -- if only I knew how to set it up. I can't find any documentation on how to configure obssigner. I've uncommented: our $sign = '/usr/bin/sign'; from BSConfig.pm I've tried putting the following into my /etc/sign.conf: ### for build service host server: <my_real_ip_address> user: obsbuild@foo.com allowuser: obsrun # ### for sign server #allow: <IP of your build service host> allow: <my_real_ip_address> #phrases: /root/.phrases When I start /etc/init.d/obssignd, it starts without throwing an error. After I start /etc/init.d/obssigner, there is a new logfile created in: /srv/obs/log/signer.log This logfile has the following contents: Name "BSConfig::sign_project" used only once: possible typo at /usr/lib/obs/server//bs_signer line 96. starting build service signer waiting for an event... When I try to create a key (from a project I've checked out), I get: ~/src/obs/myproject$ osc signkey --create Server returned an error: HTTP Error 404: Not Found don't know how to create a key I'm using the packages in OpenSUSE:Tools, for openSUSE 11.2. The packages I have are: obs-service-download_url-0.1-7.1.noarch obs-utils-1.7.5-1.1.x86_64 obs-common-1.7.0-1.1.x86_64 obs-api-1.7.5-1.1.x86_64 obs-worker-1.7.5-1.1.x86_64 obs-server-1.7.2-18.8.x86_64 obs-signd-1.7.0-5.1.x86_64 obs-source_service-1.7.5-1.1.x86_64 obs-productconverter-1.7.5-1.1.x86_64 Any hints? -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On 2010-05-28 18:19:47 -0600, Troy Telford wrote:
I've noted a slightly old thread where somebody asked about how to use obssigner or obssignd. However, the problem was that there wasn't any documentation; and there wasn't any discussion on how to set up the signer.
I'd be more than willing to help document the process on the build service wikis -- if only I knew how to set it up. I can't find any documentation on how to configure obssigner.
I've uncommented: our $sign = '/usr/bin/sign'; from BSConfig.pm
I've tried putting the following into my /etc/sign.conf: ### for build service host server: <my_real_ip_address> user: obsbuild@foo.com allowuser: obsrun # ### for sign server #allow: <IP of your build service host> allow: <my_real_ip_address> #phrases: /root/.phrases
When I start /etc/init.d/obssignd, it starts without throwing an error. After I start /etc/init.d/obssigner, there is a new logfile created in: /srv/obs/log/signer.log
This logfile has the following contents: Name "BSConfig::sign_project" used only once: possible typo at /usr/lib/obs/server//bs_signer line 96. starting build service signer waiting for an event...
When I try to create a key (from a project I've checked out), I get: ~/src/obs/myproject$ osc signkey --create Server returned an error: HTTP Error 404: Not Found don't know how to create a key
Did you restart the srcserver after modifying the BSConfig.pm? This message indicates that $sign isn't defined in BSConfig.pm. Marcus -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Fri, May 28, 2010 at 20:24, Marcus Hüwe <suse-tux@gmx.de> wrote:
On 2010-05-28 18:19:47 -0600, Troy Telford wrote:
I've noted a slightly old thread where somebody asked about how to use obssigner or obssignd. However, the problem was that there wasn't any documentation; and there wasn't any discussion on how to set up the signer.
I was the one who asked that.
I'd be more than willing to help document the process on the build service wikis -- if only I knew how to set it up. I can't find any documentation on how to configure obssigner.
I've actually managed to get it working, after a few months >.>"
I've uncommented: our $sign = '/usr/bin/sign'; from BSConfig.pm
I've tried putting the following into my /etc/sign.conf: ### for build service host server: <my_real_ip_address> user: obsbuild@foo.com allowuser: obsrun # ### for sign server #allow: <IP of your build service host> allow: <my_real_ip_address> #phrases: /root/.phrases
When I start /etc/init.d/obssignd, it starts without throwing an error. After I start /etc/init.d/obssigner, there is a new logfile created in: /srv/obs/log/signer.log
This logfile has the following contents: Name "BSConfig::sign_project" used only once: possible typo at /usr/lib/obs/server//bs_signer line 96. starting build service signer waiting for an event...
When I try to create a key (from a project I've checked out), I get: ~/src/obs/myproject$ osc signkey --create Server returned an error: HTTP Error 404: Not Found don't know how to create a key
Did you restart the srcserver after modifying the BSConfig.pm? This message indicates that $sign isn't defined in BSConfig.pm.
What I did: in BSConfig.pm our $gpg_standard_key = "/etc/alst.asc"; our $sign = '/usr/bin/sign'; #Extend sign call with project name as argument "--project $NAME" # ** Let's not, sign doesn't support it O_O our $sign_project = 0; #Global sign key our $keyfile = '/etc/alst.asc'; #Create a key by default for new projects, if top level have not one our $forceprojectkeys = 1; Then in /etc/sign.conf user: software@lincomlinux.org allowuser: obsrun allow: 127.0.0.1 phrases: /root/.phrases And finally, in /etc/permissions.d/sign /usr/bin/sign root:root 4755 Whoever packaged obssignd needs to correct the permissions on it. -- later, Robert Xu -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Friday, May 28, 2010 06:30:52 pm Robert Xu wrote:
On Fri, May 28, 2010 at 20:24, Marcus Hüwe <suse-tux@gmx.de> wrote:
I'd be more than willing to help document the process on the build service wikis -- if only I knew how to set it up. I can't find any documentation on how to configure obssigner.
I've actually managed to get it working, after a few months >.>"
Ouch.
When I try to create a key (from a project I've checked out), I get: ~/src/obs/myproject$ osc signkey --create Server returned an error: HTTP Error 404: Not Found don't know how to create a key
Did you restart the srcserver after modifying the BSConfig.pm? This message indicates that $sign isn't defined in BSConfig.pm.
It was defined. Srcserver wasn't restarted. After restarting it, I get: Server returned an error: HTTP Error 404: Not Found /usr/bin/sign: 256
What I did: in BSConfig.pm
our $gpg_standard_key = "/etc/alst.asc";
our $sign = '/usr/bin/sign';
#Extend sign call with project name as argument "--project $NAME" # ** Let's not, sign doesn't support it O_O
our $sign_project = 0;
#Global sign key our $keyfile = '/etc/alst.asc';
#Create a key by default for new projects, if top level have not one our $forceprojectkeys = 1;
OK, now a couple of questions: How was '/etc/alst.asc' generated? (is it a GPG private key, a GPG public key, etc.) I took a stab at it and created a GPG private key, and set it in place as '/etc/obskey.asc'. I'm still seeing: $ osc signkey Server returned an error: HTTP Error 404: Not Found SOME_PROJECT: no pubkey available $ osc signkey --create Server returned an error: HTTP Error 404: Not Found /usr/bin/sign: 256
Then in /etc/sign.conf
user: software@lincomlinux.org so "user" is the email address given to the GPG key?
allowuser: obsrun allow: 127.0.0.1 phrases: /root/.phrases
So what is in .phrases - is it a flat file with a passphrase:key id sort of mapping, a direcory with a specific filename, etc...
And finally, in /etc/permissions.d/sign
/usr/bin/sign root:root 4755
Whoever packaged obssignd needs to correct the permissions on it.
-- later, Robert Xu -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Wed, Jun 2, 2010 at 16:27, Troy Telford <ttelford.groups@gmail.com> wrote:
On Friday, May 28, 2010 06:30:52 pm Robert Xu wrote:
On Fri, May 28, 2010 at 20:24, Marcus Hüwe <suse-tux@gmx.de> wrote:
I'd be more than willing to help document the process on the build service wikis -- if only I knew how to set it up. I can't find any documentation on how to configure obssigner.
I've actually managed to get it working, after a few months >.>"
Ouch.
I know. Pretty painful of me.
When I try to create a key (from a project I've checked out), I get: ~/src/obs/myproject$ osc signkey --create Server returned an error: HTTP Error 404: Not Found don't know how to create a key
Did you restart the srcserver after modifying the BSConfig.pm? This message indicates that $sign isn't defined in BSConfig.pm.
It was defined. Srcserver wasn't restarted. After restarting it, I get: Server returned an error: HTTP Error 404: Not Found /usr/bin/sign: 256
What I did: in BSConfig.pm
our $gpg_standard_key = "/etc/alst.asc";
our $sign = '/usr/bin/sign';
#Extend sign call with project name as argument "--project $NAME" # ** Let's not, sign doesn't support it O_O
our $sign_project = 0;
#Global sign key our $keyfile = '/etc/alst.asc';
#Create a key by default for new projects, if top level have not one our $forceprojectkeys = 1;
OK, now a couple of questions: How was '/etc/alst.asc' generated? (is it a GPG private key, a GPG public key, etc.) I took a stab at it and created a GPG private key, and set it in place as '/etc/obskey.asc'. I'm still seeing:
$ osc signkey Server returned an error: HTTP Error 404: Not Found SOME_PROJECT: no pubkey available
$ osc signkey --create Server returned an error: HTTP Error 404: Not Found /usr/bin/sign: 256
This, I actually used a reference from the SUSE Build Keys to make them. Here: I have two keys: They are both named OBS Sign Key, and the email is software@lincomlinux.org. One of them is RSA 1024 that expires 2014-05-31 The other is DSA 1024 and Elgamal 2048, expiring 2014-05-31. /etc/alst.asc is the exported key from the DSA/Elgamal one.
Then in /etc/sign.conf
user: software@lincomlinux.org so "user" is the email address given to the GPG key?
Yes
allowuser: obsrun allow: 127.0.0.1 phrases: /root/.phrases
So what is in .phrases - is it a flat file with a passphrase:key id sort of mapping, a direcory with a specific filename, etc...
/root/.phrases is basically a directory with text files: so for example, I have a text file named "software@lincomlinux.org" with the content of the file being "password". For some reason, I had to *copy* the contents of .gnupg over to / I also copied .phrases to /, but I don't think that's necessary.
And finally, in /etc/permissions.d/sign
/usr/bin/sign root:root 4755
Whoever packaged obssignd needs to correct the permissions on it.
-- later, Robert Xu -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Wed, Jun 2, 2010 at 17:21, Robert Xu <robxu9@gmail.com> wrote:
On Wed, Jun 2, 2010 at 16:27, Troy Telford <ttelford.groups@gmail.com> wrote:
On Friday, May 28, 2010 06:30:52 pm Robert Xu wrote:
On Fri, May 28, 2010 at 20:24, Marcus Hüwe <suse-tux@gmx.de> wrote:
I'd be more than willing to help document the process on the build service wikis -- if only I knew how to set it up. I can't find any documentation on how to configure obssigner.
I've actually managed to get it working, after a few months >.>"
Ouch.
I know. Pretty painful of me.
When I try to create a key (from a project I've checked out), I get: ~/src/obs/myproject$ osc signkey --create Server returned an error: HTTP Error 404: Not Found don't know how to create a key
Did you restart the srcserver after modifying the BSConfig.pm? This message indicates that $sign isn't defined in BSConfig.pm.
It was defined. Srcserver wasn't restarted. After restarting it, I get: Server returned an error: HTTP Error 404: Not Found /usr/bin/sign: 256
What I did: in BSConfig.pm
our $gpg_standard_key = "/etc/alst.asc";
our $sign = '/usr/bin/sign';
#Extend sign call with project name as argument "--project $NAME" # ** Let's not, sign doesn't support it O_O
our $sign_project = 0;
#Global sign key our $keyfile = '/etc/alst.asc';
#Create a key by default for new projects, if top level have not one our $forceprojectkeys = 1;
OK, now a couple of questions: How was '/etc/alst.asc' generated? (is it a GPG private key, a GPG public key, etc.) I took a stab at it and created a GPG private key, and set it in place as '/etc/obskey.asc'. I'm still seeing:
$ osc signkey Server returned an error: HTTP Error 404: Not Found SOME_PROJECT: no pubkey available
$ osc signkey --create Server returned an error: HTTP Error 404: Not Found /usr/bin/sign: 256
This, I actually used a reference from the SUSE Build Keys to make them. Here:
I have two keys: They are both named OBS Sign Key, and the email is software@lincomlinux.org.
One of them is RSA 1024 that expires 2014-05-31 The other is DSA 1024 and Elgamal 2048, expiring 2014-05-31.
/etc/alst.asc is the exported key from the DSA/Elgamal one.
Then in /etc/sign.conf
user: software@lincomlinux.org so "user" is the email address given to the GPG key?
Yes
I forgot to mention something: You need to install the gpg2 package from openSUSE:Factory. That one has the files-are-digests.patch needed for sign to run.
allowuser: obsrun allow: 127.0.0.1 phrases: /root/.phrases
So what is in .phrases - is it a flat file with a passphrase:key id sort of mapping, a direcory with a specific filename, etc...
/root/.phrases is basically a directory with text files: so for example, I have a text file named "software@lincomlinux.org" with the content of the file being "password".
For some reason, I had to *copy* the contents of .gnupg over to / I also copied .phrases to /, but I don't think that's necessary.
And finally, in /etc/permissions.d/sign
/usr/bin/sign root:root 4755
Whoever packaged obssignd needs to correct the permissions on it.
-- later, Robert Xu -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On 2010-06-04 12:53:48 -0600, Robert Xu said:
I forgot to mention something: You need to install the gpg2 package from openSUSE:Factory. That one has the files-are-digests.patch needed for sign to run.
Thanks; I found out the hard way. Though what I did was take the Base:System packages from build.opensuse.org (libassuan and gpg2), and re-built them for my OBS host's distribution. But I now have it working. Now to write a nice wiki-formatted document and see if I can get it put into the OBS documenatation. Thanks! -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Fri, Jun 4, 2010 at 14:57, Troy Telford <ttelford.groups@gmail.com> wrote:
On 2010-06-04 12:53:48 -0600, Robert Xu said:
I forgot to mention something: You need to install the gpg2 package from openSUSE:Factory. That one has the files-are-digests.patch needed for sign to run.
Thanks; I found out the hard way. Though what I did was take the Base:System packages from build.opensuse.org (libassuan and gpg2), and re-built them for my OBS host's distribution.
But I now have it working. Now to write a nice wiki-formatted document and see if I can get it put into the OBS documenatation.
Thanks!
glad to have helped, even though it was a little late :) heh, I tried writing documentation for it, but I got mixed up in the end :P have fun! -- later, Robert Xu -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
I forgot to mention something: You need to install the gpg2 package from openSUSE:Factory. That one has the files-are-digests.patch needed for sign to run.
No. You can now use gpg2 from openSUSE.Tools. It is working just fine :) Regards Chris -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Fri, Jun 4, 2010 at 18:39, Christian <chris@computersalat.de> wrote:
I forgot to mention something: You need to install the gpg2 package from openSUSE:Factory. That one has the files-are-digests.patch needed for sign to run.
No. You can now use gpg2 from openSUSE.Tools. It is working just fine :)
Really? Was gpg2 just added today or something? Because it never showed up on my Software Manager (set to show all) Either that or the openSUSE 11.2 one took higher precedence. -- later, Robert Xu -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Fri, Jun 4, 2010 at 18:41, Robert Xu <robxu9@gmail.com> wrote:
On Fri, Jun 4, 2010 at 18:39, Christian <chris@computersalat.de> wrote:
I forgot to mention something: You need to install the gpg2 package from openSUSE:Factory. That one has the files-are-digests.patch needed for sign to run.
No. You can now use gpg2 from openSUSE.Tools. It is working just fine :)
Really? Was gpg2 just added today or something? Because it never showed up on my Software Manager (set to show all) Either that or the openSUSE 11.2 one took higher precedence.
This is a really old conversation, but I want to let you guys know that I wrote a tutorial on how to configure the signer: http://wiki.opensuse.org/openSUSE:Build_Service_Signer -- later, Robert Xu -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
This is a great writeup, thanks. Will be attempting to set this up myself quite soon. -- Michael ________________________________________ From: Robert Xu [robxu9@gmail.com] Sent: Friday, June 11, 2010 12:57 PM To: Christian Cc: opensuse-buildservice@opensuse.org Subject: Re: [opensuse-buildservice] obs and signing On Fri, Jun 4, 2010 at 18:41, Robert Xu <robxu9@gmail.com> wrote:
On Fri, Jun 4, 2010 at 18:39, Christian <chris@computersalat.de> wrote:
I forgot to mention something: You need to install the gpg2 package from openSUSE:Factory. That one has the files-are-digests.patch needed for sign to run.
No. You can now use gpg2 from openSUSE.Tools. It is working just fine :)
Really? Was gpg2 just added today or something? Because it never showed up on my Software Manager (set to show all) Either that or the openSUSE 11.2 one took higher precedence.
This is a really old conversation, but I want to let you guys know that I wrote a tutorial on how to configure the signer: http://wiki.opensuse.org/openSUSE:Build_Service_Signer -- later, Robert Xu -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
participants (5)
-
Christian -
Marcus Hüwe -
Michael_E_Brown@Dell.com -
Robert Xu -
Troy Telford