[opensuse-buildservice] How can i setup package signing on local obs?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, can someone explain how to setup the signd & sign program on a local bs setup? I got the daemon running, and the sign program connects but than hangs, while the signd starts some subprocesses and nothing happens. I'm not sure where to place the key files used for signing, maybe someone can bring some light into the darkness ;) attached, a processlist and log entrys of signd thanks Carsten -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHRuae6NfbfHY52TsRAgubAJwNh/AXwCe6/XCVp2dPix/B4l0BdwCeLVVf z3ee5EhaDBaeVIcGeWdVpDI= =X06F -----END PGP SIGNATURE----- obsrun 25247 0.0 0.4 12632 9284 ? S 10:57 0:00 /usr/bin/perl -w ./bs_repserver obsrun 25248 0.0 0.0 1820 560 ? S 10:57 0:00 /srv/obs/sign/sign -r /srv/obs/jobs/x86_64/multimedia::SLE_10::portaudio18-6337f29c4f0b6a49147cef12bb42056f:dir/portau obsrun 25251 0.0 0.4 12632 9284 ? S 10:57 0:00 /usr/bin/perl -w ./bs_repserver obsrun 25252 0.0 0.0 1816 552 ? S 10:57 0:00 /srv/obs/sign/sign -r /srv/obs/jobs/i586/multimedia::SLE_10::portaudio18-6337f29c4f0b6a49147cef12bb42056f:dir/portaudi root 28395 0.0 0.1 9348 2816 ? Ss 13:34 0:01 sshd: root@pts/0 root 28397 0.0 0.0 4276 2044 pts/0 Ss 13:34 0:00 -bash postfix 31139 0.0 0.0 5692 1716 ? S 14:51 0:00 pickup -l -t fifo -u root 31790 0.0 0.0 2480 856 pts/0 R+ 15:26 0:00 ps axu obs-web:~/bin # ps axu|grep sign root 5981 0.0 0.1 4868 3196 ? Ss Nov21 0:00 /usr/bin/perl ./signd obsrun 6328 0.0 0.0 1820 560 ? S Nov21 0:00 /srv/obs/sign/sign -r /srv/obs/jobs/i586/internetx:mysql5::SLE_10::libmemcached-3baa823c6ef50fd1588d72fdcb28e683:dir/libmemcached-0.9-5.7.i586.rpm root 6329 0.0 0.1 4868 2456 ? S Nov21 0:00 /usr/bin/perl ./signd root 6330 0.0 0.1 4868 2456 ? S Nov21 0:00 /usr/bin/perl ./signd root 6331 0.0 0.1 4868 2456 ? S Nov21 0:00 /usr/bin/perl ./signd root 6332 0.0 0.1 4868 2456 ? S Nov21 0:00 /usr/bin/perl ./signd root 6333 0.0 0.1 4868 2456 ? S Nov21 0:00 /usr/bin/perl ./signd root 6334 0.0 0.1 4868 2456 ? S Nov21 0:00 /usr/bin/perl ./signd root 6335 0.0 0.1 4868 2456 ? S Nov21 0:00 /usr/bin/perl ./signd root 6336 0.0 0.1 4868 2456 ? S Nov21 0:00 /usr/bin/perl ./signd root 6337 0.0 0.1 4868 2456 ? S Nov21 0:00 /usr/bin/perl ./signd root 6338 0.0 0.1 4868 2456 ? S Nov21 0:00 /usr/bin/perl ./signd root 6340 0.0 0.1 4868 2456 ? S Nov21 0:00 /usr/bin/perl ./signd obsrun 25248 0.0 0.0 1820 560 ? S 10:57 0:00 /srv/obs/sign/sign -r /srv/obs/jobs/x86_64/multimedia::SLE_10::portaudio18-6337f29c4f0b6a49147cef12bb42056f:dir/portaudio18-devel-18.1-1.1.x86_64.rpm obsrun 25252 0.0 0.0 1816 552 ? S 10:57 0:00 /srv/obs/sign/sign -r /srv/obs/jobs/i586/multimedia::SLE_10::portaudio18-6337f29c4f0b6a49147cef12bb42056f:dir/portaudio18-devel-18.1-1.1.i586.rpm obs-web:~/bin # cat /srv/obs/log/signd.log 2007-11-21 17:04:21: signproxy started 2007-11-21 17:08:02: <ip-removed>: sign buildservice@<domain-removed> 6657796b8a7aac3228df34447f8d5f48a9514a93@00474457e2 df4d4ac23bb2662ac5d550b4de263a4c09a67317@00474457e2 2007-11-21 17:08:02: <ip-removed>: sign buildservice@<domain-removed> 6657796b8a7aac3228df34447f8d5f48a9514a93@00474457e2 df4d4ac23bb2662ac5d550b4de263a4c09a67317@00474457e2 2007-11-21 17:08:02: <ip-removed>: sign buildservice@<domain-removed> 6657796b8a7aac3228df34447f8d5f48a9514a93@00474457e2 df4d4ac23bb2662ac5d550b4de263a4c09a67317@00474457e2 2007-11-21 17:08:02: <ip-removed>: sign buildservice@<domain-removed> 6657796b8a7aac3228df34447f8d5f48a9514a93@00474457e2 df4d4ac23bb2662ac5d550b4de263a4c09a67317@00474457e2 2007-11-21 17:08:02: <ip-removed>: sign buildservice@<domain-removed> 6657796b8a7aac3228df34447f8d5f48a9514a93@00474457e2 df4d4ac23bb2662ac5d550b4de263a4c09a67317@00474457e2 2007-11-21 17:08:02: <ip-removed>: sign buildservice@<domain-removed> 6657796b8a7aac3228df34447f8d5f48a9514a93@00474457e2 df4d4ac23bb2662ac5d550b4de263a4c09a67317@00474457e2 2007-11-21 17:08:02: <ip-removed>: sign buildservice@<domain-removed> 6657796b8a7aac3228df34447f8d5f48a9514a93@00474457e2 df4d4ac23bb2662ac5d550b4de263a4c09a67317@00474457e2 2007-11-21 17:08:02: <ip-removed>: sign buildservice@<domain-removed> 6657796b8a7aac3228df34447f8d5f48a9514a93@00474457e2 df4d4ac23bb2662ac5d550b4de263a4c09a67317@00474457e2 2007-11-21 17:08:02: <ip-removed>: sign buildservice@<domain-removed> 6657796b8a7aac3228df34447f8d5f48a9514a93@00474457e2 df4d4ac23bb2662ac5d550b4de263a4c09a67317@00474457e2 2007-11-21 17:08:02: <ip-removed>: sign buildservice@<domain-removed> 6657796b8a7aac3228df34447f8d5f48a9514a93@00474457e2 df4d4ac23bb2662ac5d550b4de263a4c09a67317@00474457e2 2007-11-21 17:08:02: <ip-removed>: sign buildservice@<domain-removed> 6657796b8a7aac3228df34447f8d5f48a9514a93@00474457e2 df4d4ac23bb2662ac5d550b4de263a4c09a67317@00474457e2
On Fri, Nov 23, 2007 at 03:41:34PM +0100, Carsten Schoene wrote:
Hello,
can someone explain how to setup the signd & sign program on a local bs setup?
I got the daemon running, and the sign program connects but than hangs, while the signd starts some subprocesses and nothing happens.
Hmm, it shouldn't hang, might be some obscure bug in signd.
I'm not sure where to place the key files used for signing, maybe someone can bring some light into the darkness ;)
The setup is like this: You have a host where the build service runs on and another host (high security) that only runs the signd deamon and nothing else. This host is typically on some dedicated network so that it can only be reached by the build service. And sshd and the like is turned of, so that you need console access if you want in. This is because the host contains the private keys plus the passphrases, you do not want that someone can obtain this sensitive information. Configuration is like this /etc/sign.conf for the build service host: server: <private ip> user: buildservice@myhost.con allowuser: bsrun /etc/sign.conf for the sign server: allow: <ip of build service> phrases: /root/.phrases The /root/.phrases directory should contain a "buildservice@myhost.com" file containing the needed passphrase. The installed gpg must include the "patches-are-digest" patch, gpg from SL10.2 works. (Unfortunately 10.3 ships with gpg2, which doesn't include the patch yet.) Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Markus Rex, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 thanks for your help, works great ;) Michael Schroeder schrieb:
On Fri, Nov 23, 2007 at 03:41:34PM +0100, Carsten Schoene wrote:
Hello,
can someone explain how to setup the signd & sign program on a local bs setup?
I got the daemon running, and the sign program connects but than hangs, while the signd starts some subprocesses and nothing happens.
Hmm, it shouldn't hang, might be some obscure bug in signd.
I'm not sure where to place the key files used for signing, maybe someone can bring some light into the darkness ;)
The setup is like this:
You have a host where the build service runs on and another host (high security) that only runs the signd deamon and nothing else. This host is typically on some dedicated network so that it can only be reached by the build service. And sshd and the like is turned of, so that you need console access if you want in. This is because the host contains the private keys plus the passphrases, you do not want that someone can obtain this sensitive information.
Configuration is like this
/etc/sign.conf for the build service host:
server: <private ip> user: buildservice@myhost.con allowuser: bsrun
/etc/sign.conf for the sign server:
allow: <ip of build service> phrases: /root/.phrases
The /root/.phrases directory should contain a "buildservice@myhost.com" file containing the needed passphrase. The installed gpg must include the "patches-are-digest" patch, gpg from SL10.2 works. (Unfortunately 10.3 ships with gpg2, which doesn't include the patch yet.)
Cheers, Michael.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHRwOo6NfbfHY52TsRAvasAKCDPDbo2ySSgNgZKs5tV7W9U/zCSwCeJFq2 Sk6Dytm55LQ6UNNuubAMw4Y= =BnwN -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Hi Michael, is there a plan to provide "sign" with the obs-server RPM package ? I did get it only while extracting it from SOURCE. your talking about gpg2 and a patch. Do I have to build a newer gpg for SLES10 SP2 ? Thanks for your help Kind Regards Chris Michael Schroeder schrieb:
You have a host where the build service runs on and another host (high security) that only runs the signd deamon and nothing else. This host is typically on some dedicated network so that it can only be reached by the build service. And sshd and the like is turned of, so that you need console access if you want in. This is because the host contains the private keys plus the passphrases, you do not want that someone can obtain this sensitive information.
Configuration is like this
/etc/sign.conf for the build service host:
server: <private ip> user: buildservice@myhost.con allowuser: bsrun
/etc/sign.conf for the sign server:
allow: <ip of build service> phrases: /root/.phrases
The /root/.phrases directory should contain a "buildservice@myhost.com" file containing the needed passphrase. The installed gpg must include the "patches-are-digest" patch, gpg from SL10.2 works. (Unfortunately 10.3 ships with gpg2, which doesn't include the patch yet.)
Cheers, Michael.
The setup is like this:
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Wed, Jul 02, 2008 at 11:51:48PM +0000, Christian wrote:
is there a plan to provide "sign" with the obs-server RPM package ? I did get it only while extracting it from SOURCE.
It doesn't really belong to obs, so I'd rather pack it as a different package. Still TODO.
your talking about gpg2 and a patch. Do I have to build a newer gpg for SLES10 SP2 ?
Yes, you need the "files_are_digests" patch. It's already included in the openSUSE-10.2 gpg, so you can just install the 10.2 package. Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Markus Rex, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Hi Michael, Michael Schroeder schrieb:
It doesn't really belong to obs, so I'd rather pack it as a different package. Still TODO.
OK, can provide you with a init-script for signd. (attached)
your talking about gpg2 and a patch. Do I have to build a newer gpg for SLES10 SP2 ?
Yes, you need the "files_are_digests" patch. It's already included in the openSUSE-10.2 gpg, so you can just install the 10.2 package.
Now signd is working. But how to activate for my repos/packages. scheduler is telling "gpg (disabled)" Can not find any docu about that. Any help would be appreciated.
Cheers, Michael.
Cheers Chris ### for build service host #server: <IP of your signd host> #user: rpm@scorpio-it.net #allowuser: bsrun # ### for sign server #allow: <IP of your obs-host> #phrases: /root/.phrases #!/bin/sh # Copyright (c) 2008 Scorpio IT, Deidesheim, Germany # # Author: Christian Wittmer # please send feedback to <rpm@scorpio-it.net> # # /etc/init.d/signd # ### BEGIN INIT INFO # Provides: signd # Required-Start: $network $named $syslog $time # Should-Start: # Required-Stop: # Default-Start: 3 5 # Default-Stop: # Description: start the gpg sign daemon ### END INIT INFO # check for sysconfig file #[ -f /etc/sysconfig/mailgraph ] && . /etc/sysconfig/mailgraph ; PATH=/bin:/usr/bin SN_BIN="/usr/sbin/signd" SN_OPTS=${SIGN_OPTS:="-f"} PID=${SIGN_PID:="/var/run/signd.pid"} LOG=${SIGN_LOG:="/var/log/signd.log"} # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v ditto but be verbose in local rc status # rc_status -v -r ditto and clear the local rc status # rc_failed set local and overall rc status to failed # rc_failed <num> set local and overall rc status to <num><num> # rc_reset clear local rc status (overall remains) # rc_exit exit appropriate to overall rc status . /etc/rc.status # First reset status of this service rc_reset # Return values acc. to LSB for all commands but status: # 0 - success # 1 - generic or unspecified error # 2 - invalid or excess argument(s) # 3 - unimplemented feature (e.g. "reload") # 4 - insufficient privilege # 5 - program is not installed # 6 - program is not configured # 7 - program is not running # # Note that starting an already running service, stopping # or restarting a not-running service as well as the restart # with force-reload (in case signalling is not supported) are # considered a success. case "$1" in start) echo -n "Starting gpg sign daemon (signd): " ## Start daemon with startproc(8). If this fails ## the echo return value is set appropriate. nice -19 ${SN_BIN} ${SN_OPTS} # remember status and be verbose rc_status -v ;; stop) echo -n "Stopping gpg sign daemon (signd): " ## Stop daemon with killproc(8) and if this fails ## set echo the echo return value. /sbin/killproc -p ${PID} ${SN_BIN} # remeber status and be verbose rc_status -v ;; restart) ## Stop the service and regardless of whether it was ## running or not, start it again. $0 stop $0 start # remember status and be quiet rc_status ;; status) echo -n "Checking for gpg sign daemon (signd): " ## Check status with checkproc(8), if process is running ## checkproc will return with exit status 0. # Status has a slightly different for the status command: # 0 - service running # 1 - service dead, but /var/run/ pid file exists # 2 - service dead, but /var/lock/ lock file exists # 3 - service not running # NOTE: checkproc returns LSB compliant status values. /sbin/checkproc -p ${PID} ${SN_BIN} # remember status and be verbose rc_status -v ;; info) echo "Info about VAR's of sign daemon (signd): " echo "Binary: $SN_BIN" echo "Options: $SN_OPTS" echo "PID file: $PID" echo "LOG: $LOG" ;; *) echo "Usage: $0 { start|stop|restart|status|info}" exit 1 ;; esac # finally clean exit rc_exit
On Monday 07 July 2008 02:21:26 Christian wrote:
Hi Michael,
Michael Schroeder schrieb:
It doesn't really belong to obs, so I'd rather pack it as a different package. Still TODO.
OK, can provide you with a init-script for signd. (attached)
your talking about gpg2 and a patch. Do I have to build a newer gpg for SLES10 SP2 ?
Yes, you need the "files_are_digests" patch. It's already included in the openSUSE-10.2 gpg, so you can just install the 10.2 package.
Now signd is working. But how to activate for my repos/packages. scheduler is telling "gpg (disabled)" Can not find any docu about that. Any help would be appreciated.
BSConfig.pm needs a line like our $sign = '/root/bin/sign'; to call the client. -- Adrian Schroeter SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) email: adrian@suse.de --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Monday 07 July 2008 02:21:26 Christian wrote:
BSConfig.pm needs a line like
our $sign = '/root/bin/sign';
to call the client
Hi Adrian, Adrian Schröter schrieb: placed "sign" under /root/bin/ on obs-host, uncommented the line inside BSConfig.pm. restarted all obs services and all workers. triggered a rebuild of one package but with no success. Did i miss anything else ? Thanks Chris --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Hi, '/root/bin/sign' is nonsense. "obsrun" will never be able to execute this file (Permission denied). so placing it to '/usr/bin' (755,root,root) will not work at all, because "binderesvport: Permission denied" but chown root:obsrun, and chmod 2750 will then allow signing packages. If this is not the right way, i'm willing to learn the right one. Kind Regards Chris Christian schrieb:
Hi Adrian,
On Monday 07 July 2008 02:21:26 Christian wrote: BSConfig.pm needs a line like
our $sign = '/root/bin/sign';
to call the client
Adrian Schröter schrieb: placed "sign" under /root/bin/ on obs-host, uncommented the line inside BSConfig.pm. restarted all obs services and all workers. triggered a rebuild of one package but with no success.
Did i miss anything else ?
Thanks Chris --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Hi, and I am willing to put this into openSUSE:Tools:Unstable as a package, when it is working. So I am listening too... I had that on my TODO list, now that OBS 1.0 is finally released. Martin Christian wrote:
Hi,
'/root/bin/sign' is nonsense. "obsrun" will never be able to execute this file (Permission denied). so placing it to '/usr/bin' (755,root,root) will not work at all, because "binderesvport: Permission denied"
but chown root:obsrun, and chmod 2750 will then allow signing packages.
If this is not the right way, i'm willing to learn the right one.
Kind Regards Chris
Christian schrieb:
Hi Adrian,
On Monday 07 July 2008 02:21:26 Christian wrote: BSConfig.pm needs a line like
our $sign = '/root/bin/sign';
to call the client
Adrian Schröter schrieb: placed "sign" under /root/bin/ on obs-host, uncommented the line inside BSConfig.pm. restarted all obs services and all workers. triggered a rebuild of one package but with no success.
Did i miss anything else ?
Thanks Chris --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Wed, Jul 09, 2008 at 10:19:51PM +0000, Christian wrote:
Hi,
'/root/bin/sign' is nonsense. "obsrun" will never be able to execute this file (Permission denied). so placing it to '/usr/bin' (755,root,root) will not work at all, because "binderesvport: Permission denied"
but chown root:obsrun, and chmod 2750 will then allow signing packages.
If this is not the right way, i'm willing to learn the right one.
You probably mean 'chmod 4750'. And /etc/sign.conf must include "allowuser: bsrun" to tell sign that "bsrun" may use sign. Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Markus Rex, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Hi Michael, sorry, your right, I did 'chmod 4750'. Don't know why I wrote '2750'. -rwsr-x--- 1 root obsrun 54905 2008-06-25 21:21 sign* but "allowuser:" should be "obsrun", shouldn't it ? - snip of obs-server.spec - /usr/sbin/useradd -r -o -s /bin/false -c "User for build service backend" -d /usr/lib/obs -g obsrun obsrun - snip of obs-server.spec - Cheers, Chris Michael Schroeder schrieb:
On Wed, Jul 09, 2008 at 10:19:51PM +0000, Christian wrote:
Hi,
'/root/bin/sign' is nonsense. "obsrun" will never be able to execute this file (Permission denied). so placing it to '/usr/bin' (755,root,root) will not work at all, because "binderesvport: Permission denied"
but chown root:obsrun, and chmod 2750 will then allow signing packages.
If this is not the right way, i'm willing to learn the right one.
You probably mean 'chmod 4750'. And /etc/sign.conf must include "allowuser: bsrun" to tell sign that "bsrun" may use sign.
Cheers, Michael.
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Thu, Jul 10, 2008 at 01:22:28PM +0000, Christian wrote:
Hi Michael,
sorry, your right, I did 'chmod 4750'. Don't know why I wrote '2750'. -rwsr-x--- 1 root obsrun 54905 2008-06-25 21:21 sign*
but "allowuser:" should be "obsrun", shouldn't it ? - snip of obs-server.spec - /usr/sbin/useradd -r -o -s /bin/false -c "User for build service backend" -d /usr/lib/obs -g obsrun obsrun - snip of obs-server.spec -
Yes, the user is called "bsrun" on build.opensuse.org. Someone added a 'o' in the packages for whatever reasons. Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Markus Rex, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
participants (5)
-
Adrian Schröter
-
Carsten Schoene
-
Christian
-
Martin Mohring
-
Michael Schroeder