[opensuse-buildservice] outdated wiki: https://en.opensuse.org/openSUSE:Build_Service_Signer
Hi, since I fought with a new local OBS setup for the last two days, it's time to fix the bouquet of misleading/dead wrong signer guide on the wiki. (No, the signer wasn't the reason for the fight. That was /usr/sbin/obsstoragesetup. But that's a different story..). Before I start to fix the wiki, can we agree on a couple of facts beforehand? Section: Required Packages I think, it's save to remove all paragraphs after the item enumeration. Section: Set up the GPG key I would remove: Some programs[which?] cannot handle DSA 2048, so if you are actually affected, you may want to limit yourself to a 1024 bit-DSA key instead. Section: Prep the signer Phrases go to /srv/obs/gnupg<fullstop> The symlink is unnecessary. Section: Configure the signer For the appliance at least, the key *have* to be in /srv/obs/obs-default- gpg.asc. Contraventions will be punished by prolonged troubleshooting, that will likely end in /usr/lib/obs/server/setup-appliance.sh function prepare_obssigner... A further note for sign_project is advised (and relocated from troubleshooting section). Outdated: If you run a version older than obs-signd-2.1.2 where /etc/permissions.d/sign is missing, create this file and add to it: /usr/bin/sign root:obsrun 4750 Run SuSEconfig --module permissions after having created this file. Remove? Section: Activate the Signer We arrived in systemd age. Section: Signing EFI binaries/kernel modules for EFI Secure Boot and below: out of my capabilities. Comments please. Cheers, Pete -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Am Donnerstag, 9. April 2020, 16:41:17 CEST schrieb Hans-Peter Jansen:
Section: Signing EFI binaries/kernel modules for EFI Secure Boot and below: out of my capabilities.
and seems to be defunct as well. :| Attempt to build kernel-default from Kernel:stable for 15.{1,2} and TW, here are the relevant parts to pesign and co: [ 146s] ### Now generating an X.509 key pair to be used for signing modules. [ 146s] ### [ 146s] ### If this takes a long time, you might wish to run rngd in the [ 146s] ### background to keep the supply of entropy topped up. It [ 146s] ### needs to be run as root, and uses a hardware random [ 146s] ### number generator if one is available. [ 146s] ### [ 146s] Generating a RSA private key [ 146s] ................................................................................ ++++ [ 146s] .......++++ [ 146s] writing new private key to 'certs/signing_key.pem' [ 146s] ----- [ 146s] ### [ 146s] ### Key pair generated. [ 146s] ### [ 146s] EXTRACT_CERTS certs/signing_key.pem [ 146s] AS certs/system_certificates.o [ 5533s] + cp -p arch/x86/boot/bzImage /home/abuild/rpmbuild/BUILDROOT/kernel- default-5.6.2-2.3.x86_64/boot/vmlinuz-5.6.2-2-default [ 5533s] + image=vmlinuz [ 5533s] + BRP_PESIGN_FILES= [ 5533s] + BRP_PESIGN_FILES=/boot/vmlinuz-5.6.2-2-default [ 5533s] + BRP_PESIGN_FILES='/boot/vmlinuz-5.6.2-2-default *.ko' [ 5533s] + export BRP_PESIGN_FILES [ 5533s] + export BRP_PESIGN_COMPRESS_MODULE=xz [ 5533s] + BRP_PESIGN_COMPRESS_MODULE=xz [ 5533s] + test -x /usr/lib/rpm/pesign/gen-hmac [ 5533s] + /usr/lib/rpm/pesign/gen-hmac -r /home/abuild/rpmbuild/BUILDROOT/ kernel-default-5.6.2-2.3.x86_64 /boot/vmlinuz-5.6.2-2-default [ 5533s] + certs=() [ 5533s] + test y = y [ 5533s] + for f in /home/abuild/rpmbuild/SOURCES/*.crt [ 5533s] + test -s '/home/abuild/rpmbuild/SOURCES/*.crt' [ 5533s] + continue [ 6084s] calling /usr/lib/rpm/brp-suse.d/brp-99-compress-vmlinux [ 6084s] xz /home/abuild/rpmbuild/BUILDROOT/kernel-default-5.6.2-2.3.x86_64/ boot/vmlinux-5.6.2-2-default [ 6115s] calling /usr/lib/rpm/brp-suse.d/brp-99-pesign [ 6116s] No buildservice signing certificate [ 6116s] Creating /home/abuild/rpmbuild/OTHER/kernel-default.cpio.rsasign [ 7459s] build: extracting built packages... [ 7476s] RPMS/x86_64/kernel-default-devel-5.6.2-2.3.x86_64.rpm [ 7476s] RPMS/x86_64/kernel-default-livepatch-devel-5.6.2-2.3.x86_64.rpm [ 7476s] RPMS/x86_64/kernel-default-debuginfo-5.6.2-2.3.x86_64.rpm [ 7476s] RPMS/x86_64/kernel-default-devel-debuginfo-5.6.2-2.3.x86_64.rpm [ 7476s] RPMS/x86_64/kernel-default-debugsource-5.6.2-2.3.x86_64.rpm [ 7476s] RPMS/x86_64/kernel-default-5.6.2-2.3.x86_64.rpm [ 7476s] SRPMS/kernel-default-5.6.2-2.3.nosrc.rpm [ 7476s] OTHER/kernel-default.cpio.rsasign [ 7476s] OTHER/rpmlint.log [ 7476s] OTHER/make-stderr.log [ 7476s] OTHER/pesign-repackage.spec [ 7476s] OTHER/_statistics [ 7476s] OTHER/kernel-source.rpmlintrc Need an RSA key for openssl signing, please create a new key Hmm, what's wrong with: gpg2 --homedir /srv/obs/gnupg --list-keys /srv/obs/gnupg/pubring.kbx -------------------------- pub rsa2048 2020-04-08 [SC] [expires: 2030-04-06] 5CA8A94E1B707B8D20D762417EE02744756FF7C9 uid [ultimate] Hans-Peter Jansen (LISA-OBS) <hp@lisa-gmbh.de> sub rsa2048 2020-04-08 [E] [expires: 2030-04-06] sub dsa2048 2020-04-08 [S] [expires: 2030-04-06] sub elg2048 2020-04-08 [E] [expires: 2030-04-06] I've noted a deviation to the default generated key, that reads: pub rsa2048 2020-04-08 [SCEA] or just some openssl vs. gpg2 impedance mismatch? Any kind soul out there, who could shed some light into this dark corner? Thanks in advance, Pete -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Am Freitag, 10. April 2020, 06:42:07 CEST schrieb Hans-Peter Jansen:
Am Donnerstag, 9. April 2020, 16:41:17 CEST schrieb Hans-Peter Jansen:
Section: Signing EFI binaries/kernel modules for EFI Secure Boot and below: out of my capabilities.
and seems to be defunct as well. :|
Attempt to build kernel-default from Kernel:stable for 15.{1,2} and TW, here are the relevant parts to pesign and co:
Significant deviations to Kernel:stable build inlined.
[ 146s] ### [ 146s] Generating a RSA private key [ 146s] ............................................................................ .... ++++ [ 146s] .......++++ [ 146s] writing new private key to 'certs/signing_key.pem' [ 146s] ----- [ 146s] ### [ 146s] ### Key pair generated. [ 146s] ### [ 146s] EXTRACT_CERTS certs/signing_key.pem [ 146s] AS certs/system_certificates.o
K:s seems to have one already: [ 122s] EXTRACT_CERTS [ 122s] EXTRACT_CERTS certs/signing_key.pem
[ 5533s] + /usr/lib/rpm/pesign/gen-hmac -r /home/abuild/rpmbuild/BUILDROOT/ kernel-default-5.6.2-2.3.x86_64 /boot/vmlinuz-5.6.2-2-default [ 5533s] + certs=() [ 5533s] + test y = y [ 5533s] + for f in /home/abuild/rpmbuild/SOURCES/*.crt [ 5533s] + test -s '/home/abuild/rpmbuild/SOURCES/*.crt' [ 5533s] + continue
K:s has a key from an unknown source: [ 4190s] + test -s /home/abuild/rpmbuild/SOURCES/_projectcert.crt
[ 6115s] calling /usr/lib/rpm/brp-suse.d/brp-99-pesign [ 6116s] No buildservice signing certificate [ 6116s] Creating /home/abuild/rpmbuild/OTHER/kernel-default.cpio.rsasign
unlike K:s [ 5122s] calling /usr/lib/rpm/brp-suse.d/brp-99-pesign [ 5122s] Using signing certificate /home/abuild/rpmbuild/SOURCES/ _projectcert.crt [ 5123s] Creating /home/abuild/rpmbuild/OTHER/kernel-default.cpio.rsasign so the issue boils down to: where does _projectcert.crt come from and how is it injected into the build? Thanks, Pete -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Apr 10 2020, Hans-Peter Jansen wrote:
so the issue boils down to: where does _projectcert.crt come from and how is it injected into the build?
It is the project SSL cert (osc signkey --sslcert), injected by bs_worker:getsslcert. Andreas. -- Andreas Schwab, schwab@linux-m68k.org GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1 "And now for something completely different." -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Am Freitag, 10. April 2020, 09:25:27 CEST schrieb Andreas Schwab:
On Apr 10 2020, Hans-Peter Jansen wrote:
so the issue boils down to: where does _projectcert.crt come from and how is it injected into the build?
It is the project SSL cert (osc signkey --sslcert), injected by bs_worker:getsslcert.
Andreas, Thanks for your reply. If I understand you correctly, osc -A https://local-obs-server signkey TopLevelProject should return the project's gpg key. While the Web-UI shows that one nicely, osc doesn't: Server returned an error: HTTP Error 404: TopLevelProject no pubkey available TopLevelProject: no pubkey available Okay, a new key is needed (why, the whole OBS setup is new, including the gpg setup). After: osc -A https://local-obs-server signkey --create TopLevelProject and a project page reload(!), the key changed, and now, this dialog has got a new <SSL Cert.> button, unfortunately with a much shorter expiry date. Hopefully the kernel builds are able to pick this one up, but rebuilding the whole project is joy. :-( Will know about the outcome later today. This leaves the question, how to generate the OBS gpg signing key in such a way in the first place, that OBS is able to generate SSL certificates directly from it? Thanks, Pete -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Am Freitag, 10. April 2020, 13:32:01 CEST schrieb Hans-Peter Jansen:
Am Freitag, 10. April 2020, 09:25:27 CEST schrieb Andreas Schwab:
On Apr 10 2020, Hans-Peter Jansen wrote:
so the issue boils down to: where does _projectcert.crt come from and how is it injected into the build?
It is the project SSL cert (osc signkey --sslcert), injected by bs_worker:getsslcert.
Andreas, Thanks for your reply.
Prematurely send. Sorry. $ osc -A https://local-obs-server signkey --sslcert Some:Project Some:Project has no key, trying TopLevelProject Server returned an error: HTTP Error 404: _sslcert no such file _sslcert: no such file Rest is still valid. Pete -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Hi, On Fri, 2020-04-10 at 13:37 +0200, Hans-Peter Jansen wrote:
Prematurely send. Sorry.
$ osc -A https://local-obs-server signkey --sslcert Some:Project Some:Project has no key, trying TopLevelProject Server returned an error: HTTP Error 404: _sslcert no such file _sslcert: no such file
What do you get if you run "osc -A https://local-obs-server signkey --sslcert -- create Some:Project"? Or the same command for TopLevelProject? Regards, Srinidhi.
Am Freitag, 10. April 2020, 13:40:03 CEST schrieb Srinidhi B:
Hi,
On Fri, 2020-04-10 at 13:37 +0200, Hans-Peter Jansen wrote:
Prematurely send. Sorry.
$ osc -A https://local-obs-server signkey --sslcert Some:Project Some:Project has no key, trying TopLevelProject Server returned an error: HTTP Error 404: _sslcert no such file _sslcert: no such file
What do you get if you run "osc -A https://local-obs-server signkey --sslcert --create Some:Project"? Or the same command for TopLevelProject?
Since keys are inherited from the parent project, it's unnecessary at this point, since I created a new key for TopLevelProject already. The one key per project hierarchy policy is fine for me, and I would like to avoid to trigger a full rebuild again... I really hope, that it is all fine now, but the kernel build is still running, and the earlier expiry is bearable, if the OBS gods wants it that way ;-).. Cheers, Pete -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Am Freitag, 10. April 2020, 09:25:27 CEST schrieb Andreas Schwab:
On Apr 10 2020, Hans-Peter Jansen wrote:
so the issue boils down to: where does _projectcert.crt come from and how is it injected into the build?
It is the project SSL cert (osc signkey --sslcert), injected by bs_worker:getsslcert.
Well, almost succeeded. But kernel build finished since 75 minutes: [ 8518s] obsserver finished "build kernel-default.spec" at Fri Apr 10 13:34:27 UTC 2020. [ 8518s] [ 8518s] ### VM INTERACTION START ### [ 8521s] [ 8505.440534] sysrq: Power Off [ 8521s] [ 8505.452408] reboot: Power down [ 8524s] ### VM INTERACTION END ### [ 8524s] build: extracting built packages... [ 8541s] RPMS/x86_64/kernel-default-livepatch-devel-5.6.2-2.3.x86_64.rpm [ 8541s] RPMS/x86_64/kernel-default-debugsource-5.6.2-2.3.x86_64.rpm [ 8541s] RPMS/x86_64/kernel-default-debuginfo-5.6.2-2.3.x86_64.rpm [ 8541s] RPMS/x86_64/kernel-default-5.6.2-2.3.x86_64.rpm [ 8541s] RPMS/x86_64/kernel-default-devel-debuginfo-5.6.2-2.3.x86_64.rpm [ 8541s] RPMS/x86_64/kernel-default-devel-5.6.2-2.3.x86_64.rpm [ 8541s] SRPMS/kernel-default-5.6.2-2.3.nosrc.rpm [ 8541s] OTHER/rpmlint.log [ 8541s] OTHER/kernel-source.rpmlintrc [ 8541s] OTHER/_statistics [ 8541s] OTHER/make-stderr.log [ 8541s] OTHER/kernel-default.cpio.rsasign [ 8541s] OTHER/pesign-repackage.spec Kernel is in signing state since being finished: $ oscl r Project:Kernel kernel-default openSUSE_Tumbleweed x86_64 signing openSUSE_Leap_15.2 x86_64 building openSUSE_Leap_15.1 x86_64 building signer finished: $ tail -n2 /srv/obs/log/signer.log signing x86_64/Project:Kernel::openSUSE_Tumbleweed::kernel-default- ef6818441b37cb165bebd9b53b234a6a waiting for an event... since > 80 minutes: $ stat -c%y /srv/obs/log/signer.log 2020-04-10 13:35:01.245182170 +0000 $ date Fri Apr 10 14:58:39 UTC 2020 Relevant BSConfig.pm section: #No package signing server our $sign = "/usr/bin/sign"; #Extend sign call with project name as argument "--project $NAME" #our $sign_project = 1; #Global sign key our $keyfile = "/srv/obs/obs-default-gpg.asc"; our $gpg_standard_key = "/srv/obs/obs-default-gpg.asc"; our $forceprojectkeys = 1; but hey, maybe I'm too simpleminded by unifying $keyfile and $gpg_standard_key. Is $forceprojectkey still useful? /etc/sign.conf seems to be correct. obssigner and obssignd are up and running: $ sc status obssignd obssigner ● obssignd.service - LSB: start the gpg sign daemon Loaded: loaded (/etc/init.d/obssignd; generated; vendor preset: disabled) Active: active (running) since Thu 2020-04-09 13:55:56 UTC; 1 day 1h ago Docs: man:systemd-sysv-generator(8) Process: 1617 ExecStart=/etc/init.d/obssignd start (code=exited, status=0/ SUCCESS) Tasks: 4 CGroup: /system.slice/obssignd.service ├─1702 /usr/bin/perl /usr/sbin/signd -f ├─1745 gpg-agent --homedir /srv/obs/gnupg --use-standard-socket -- daemon └─8314 gpg-agent --homedir /srv/obs/gnupg --use-standard-socket -- daemon Apr 09 13:55:55 obsserver systemd[1]: Starting LSB: start the gpg sign daemon... Apr 09 13:55:56 obsserver obssignd[1617]: Starting gpg sign daemon (signd): ..done Apr 09 13:55:56 obsserver systemd[1]: Started LSB: start the gpg sign daemon. ● obssigner.service - OBS signer service Loaded: loaded (/usr/lib/systemd/system/obssigner.service; enabled; vendor preset: disabled) Drop-In: /etc/systemd/system/obssigner.service.d └─10-srv-obs.conf Active: active (running) since Thu 2020-04-09 13:55:56 UTC; 1 day 1h ago Main PID: 1668 (bs_signer) Tasks: 2 CGroup: /system.slice/obssigner.service └─1668 /usr/bin/perl -w /usr/lib/obs/server/bs_signer --logfile signer.log Apr 09 13:55:56 obsserver systemd[1]: Started OBS signer service. Cheers, Pete -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Am Freitag, 10. April 2020, 17:19:50 CEST schrieb Hans-Peter Jansen:
Am Freitag, 10. April 2020, 09:25:27 CEST schrieb Andreas Schwab:
On Apr 10 2020, Hans-Peter Jansen wrote:
so the issue boils down to: where does _projectcert.crt come from and how is it injected into the build?
It is the project SSL cert (osc signkey --sslcert), injected by bs_worker:getsslcert.
Well, almost succeeded.
But kernel build finished since 75 minutes:
If finally succeeded. Even less pleasant to the early expiry is, this key replacement destroyed the carefully choosen user, email and comment from the original gpg key and replaced it with some jumbled artifacts. I would love to fix the Wiki (and my setup), but I'm not willing to replace misleading/confusing information with other misleading/confusing information, as nobody would profit. OBS is such a nice piece, it deserves some love in these dark corners as well. It boils down to: what's wrong with the manual gpg key setup, as documented in the Wiki and shown in my second mail in this thread. Cheers, Pete -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Hi Pete, Am 10.04.20 um 19:12 schrieb Hans-Peter Jansen:
If finally succeeded. Even less pleasant to the early expiry is, this key replacement destroyed the carefully choosen user, email and comment from the original gpg key and replaced it with some jumbled artifacts.
I would love to fix the Wiki (and my setup), but I'm not willing to replace misleading/confusing information with other misleading/confusing information, as nobody would profit. OBS is such a nice piece, it deserves some love in these dark corners as well.
It boils down to: what's wrong with the manual gpg key setup, as documented in the Wiki and shown in my second mail in this thread.
my local instance (appliance) is working with one 'global' sign key, but not with kernel stuff ... obviously. tried to build wireguard, wich is succeeding, but after that build a new build is started ... something with pesign. I saw this the first time on my instance ... and it is failing: [ 50s] + echo 'warning: No buildservice project certificate found, add' [ 50s] warning: No buildservice project certificate found, add [ 50s] + echo 'warning: # needssslcertforbuild to the specfile' [ 50s] warning: # needssslcertforbuild to the specfile [ 50s] + echo 'warning: Using /usr/lib/rpm/pesign/pesign-cert.x509 as fallback' [ 50s] warning: Using /usr/lib/rpm/pesign/pesign-cert.x509 as fallback [ 50s] + cert=/usr/lib/rpm/pesign/pesign-cert.x509 [ 50s] + mkdir nss-db [ 50s] + nss_db=/home/abuild/rpmbuild/BUILD/pesign-repackage-1.0/rsasigned/nss-db [ 50s] + echo foofoofoo [ 50s] + certutil -N -d /home/abuild/rpmbuild/BUILD/pesign-repackage-1.0/rsasigned/nss-db -f /home/abuild/rpmbuild/BUILD/pesign-repackage-1.0/rsasigned/nss-db/passwd [ 50s] + certutil -A -d /home/abuild/rpmbuild/BUILD/pesign-repackage-1.0/rsasigned/nss-db -f /home/abuild/rpmbuild/BUILD/pesign-repackage-1.0/rsasigned/nss-db/passwd -n cert -t CT,CT,CT -i /usr/lib/rpm/pesign/pesign-cert.x509 [ 50s] certutil: unable to open "/usr/lib/rpm/pesign/pesign-cert.x509" for reading (-5950, 2). [ 50s] error: Bad exit status from /var/tmp/rpm-tmp.TO7vqo (%install) so what needs to be done to make these builds also working ? -- Christian ------------------------------------------------------------ https://join.worldcommunitygrid.org?recruiterId=177038 ------------------------------------------------------------ http://www.sc24.de - Sportbekleidung ------------------------------------------------------------
Dear Christian, Am Montag, 20. April 2020, 01:00:48 CEST schrieb Christian:
Hi Pete,
Am 10.04.20 um 19:12 schrieb Hans-Peter Jansen:
If finally succeeded. Even less pleasant to the early expiry is, this key replacement destroyed the carefully choosen user, email and comment from the original gpg key and replaced it with some jumbled artifacts.
I would love to fix the Wiki (and my setup), but I'm not willing to replace misleading/confusing information with other misleading/confusing information, as nobody would profit. OBS is such a nice piece, it deserves some love in these dark corners as well.
It boils down to: what's wrong with the manual gpg key setup, as documented in the Wiki and shown in my second mail in this thread.
Since I'm talking mostly to myself in this thread, not sure, whether I'm really helpful here. Redacted: unqualified statement about Perl deleted.
my local instance (appliance) is working with one 'global' sign key, but not with kernel stuff ... obviously.
tried to build wireguard, wich is succeeding, but after that build a new build is started ... something with pesign.
This is correct behavior. Building kernel related stuff is done with two passes. First builds the package itself, while the second signs it with pesign.
I saw this the first time on my instance ... and it is failing:
[ 50s] + echo 'warning: No buildservice project certificate found, add' [ 50s] warning: No buildservice project certificate found, add [ 50s] + echo 'warning: # needssslcertforbuild to the specfile' [ 50s] warning: # needssslcertforbuild to the specfile [ 50s] + echo 'warning: Using /usr/lib/rpm/pesign/pesign-cert.x509 as fallback' [ 50s] warning: Using /usr/lib/rpm/pesign/pesign-cert.x509 as fallback [ 50s] + cert=/usr/lib/rpm/pesign/pesign-cert.x509 [ 50s] + mkdir nss-db [ 50s] + nss_db=/home/abuild/rpmbuild/BUILD/pesign-repackage-1.0/rsasigned/nss-db [ 50s] + echo foofoofoo [ 50s] + certutil -N -d /home/abuild/rpmbuild/BUILD/pesign-repackage-1.0/rsasigned/nss-db -f /home/abuild/rpmbuild/BUILD/pesign-repackage-1.0/rsasigned/nss-db/passwd [ 50s] + certutil -A -d /home/abuild/rpmbuild/BUILD/pesign-repackage-1.0/rsasigned/nss-db -f /home/abuild/rpmbuild/BUILD/pesign-repackage-1.0/rsasigned/nss-db/passwd -n cert -t CT,CT,CT -i /usr/lib/rpm/pesign/pesign-cert.x509 [ 50s] certutil: unable to open "/usr/lib/rpm/pesign/pesign-cert.x509" for reading (-5950, 2). [ 50s] error: Bad exit status from /var/tmp/rpm-tmp.TO7vqo (%install)
so what needs to be done to make these builds also working ?
Your signer setup seems to be lacking. Is it up: sc status obssignd obssigner What does: su -s /bin/bash obsrun -c 'sign -k' return? Cheers, Pete -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Hi Pete, Am 20.04.20 um 10:53 schrieb Hans-Peter Jansen:
Your signer setup seems to be lacking. my signer is AFAIK only setup to use the gpg key.
Is it up: sc status obssignd obssigner
my signer is up and running and signing ... just not the 'kernel built stuff' something missing for the kernel stuff ?
What does: su -s /bin/bash obsrun -c 'sign -k' return?
s01-obs:~ # su -s /bin/bash obsrun -c 'sign -k' FC7784CB what is confusing to me ...: [ 50s] warning: No buildservice project certificate found, I wasn't aware that I need a project 'certificate' ... and where is it on openSUSE.org ? I can't find anything helpful in docs, wiki or READMEs ... Any help from the OBS guys would be really apreciated. -- Christian ------------------------------------------------------------ https://join.worldcommunitygrid.org?recruiterId=177038 ------------------------------------------------------------ http://www.sc24.de - Sportbekleidung ------------------------------------------------------------
Am Montag, 20. April 2020, 11:27:22 CEST schrieb Christian:
Hi Pete,
Am 20.04.20 um 10:53 schrieb Hans-Peter Jansen:
Your signer setup seems to be lacking.
my signer is AFAIK only setup to use the gpg key.
Is it up: sc status obssignd obssigner
my signer is up and running and signing ... just not the 'kernel built stuff'
Fine.
something missing for the kernel stuff ?
We will see.
What does: su -s /bin/bash obsrun -c 'sign -k' return?
s01-obs:~ # su -s /bin/bash obsrun -c 'sign -k' FC7784CB
Fine.
what is confusing to me ...: [ 50s] warning: No buildservice project certificate found,
I wasn't aware that I need a project 'certificate' ... and where is it on openSUSE.org ?
I can't find anything helpful in docs, wiki or READMEs ... Any help from the OBS guys would be really apreciated.
Sure, and this wouldn't be me, anyway... Christian, please check the Overview page of your project on OBS. Does "GPG Key / SSL Certificate" dialog provide both buttons <GPG Key> and <SSL Cert.> for you, or just the former? Cheers, Pete -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Am 20.04.20 um 11:46 schrieb Hans-Peter Jansen:
Does "GPG Key / SSL Certificate" dialog provide both buttons <GPG Key> and <SSL Cert.> for you, or just the former?
Please have a look here: https://paste.opensuse.org/22077495 and here: https://paste.opensuse.org/64193109 Looks like 'SSL' is missing, isn't it ? -- Christian ------------------------------------------------------------ https://join.worldcommunitygrid.org?recruiterId=177038 ------------------------------------------------------------ http://www.sc24.de - Sportbekleidung ------------------------------------------------------------
Am Montag, 20. April 2020, 19:26:57 CEST schrieb Christian:
Am 20.04.20 um 11:46 schrieb Hans-Peter Jansen:
Does "GPG Key / SSL Certificate" dialog provide both buttons <GPG Key> and <SSL Cert.> for you, or just the former?
Please have a look here: https://paste.opensuse.org/22077495
and here: https://paste.opensuse.org/64193109
Looks like 'SSL' is missing, isn't it ?
Sure. Try osc signkey --create TopLevelProject After that, it should look similar to: https://paste.opensuse.org/32783830 Projects below TLP will inherit the keys. Note, this operation will rebuild large parts of your packages (but not for all targets, I wiped them in order to trigger a full rebuild). I offered to do the ground work regarding the wiki, if only the few people, that know the about these inner workings would speak up. This operation should be possible on the server itself, while providing more control over the generated keys. Looks like, I would need to dive into the code to explore this myself. Given, that I have loads of other and more important things to do, this will not happen soon, if at all... Anyway hth, Pete -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Am Montag, 20. April 2020, 20:17:05 CEST schrieb Hans-Peter Jansen:
Am Montag, 20. April 2020, 19:26:57 CEST schrieb Christian:
Am 20.04.20 um 11:46 schrieb Hans-Peter Jansen:
Does "GPG Key / SSL Certificate" dialog provide both buttons <GPG Key> and <SSL Cert.> for you, or just the former?
Please have a look here: https://paste.opensuse.org/22077495
and here: https://paste.opensuse.org/64193109
Looks like 'SSL' is missing, isn't it ?
Sure.
Try
osc signkey --create TopLevelProject
Hrmpf, it's: osc signkey --sslcert --create TopLevelProject ^^^^^^^^^ of course, as Srinidhi pointed out. Pete -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Hi Christian, On Mon, 2020-04-20 at 19:26 +0200, Christian wrote:
Am 20.04.20 um 11:46 schrieb Hans-Peter Jansen:
Does "GPG Key / SSL Certificate" dialog provide both buttons <GPG Key> and <SSL Cert.> for you, or just the former?
Please have a look here: https://paste.opensuse.org/22077495
and here: https://paste.opensuse.org/64193109
Looks like 'SSL' is missing, isn't it ?
Yes, this is why I had requested [1] you to run "osc signkey --sslcert --create" command. This will create a SSL certificate for your project where you want to build your kernel / kernel module packages. I was replying to your previous email - I'll merge that reply here since it is related: On Mon, 2020-04-20 at 11:27 +0200, Christian wrote:
my signer is up and running and signing ... just not the 'kernel built stuff'
something missing for the kernel stuff ?
You need to create a SSL certificate for your project ... snipped because I've covered it above.
what is confusing to me ...: [ 50s] warning: No buildservice project certificate found,
I wasn't aware that I need a project 'certificate' ... and where is it on openSUSE.org ?
You should find it in the project / package page - just like Pete pointed out and you have found out that SSL certificate is missing.
I can't find anything helpful in docs, wiki or READMEs ... Any help from the OBS guys would be really apreciated.
Once you have a SSL certificate and GPG pubkey for your project, you can now attempt a kernel build. In other words, you need to make sure that following files exists for your project on the backend: /srv/obs/projects/<project-name>.pkg/_pubkey /srv/obs/projects/<project-name>.pkg/_signkey /srv/obs/projects/<project-name>.pkg/_sslcert Now, in the spec file of your kernel (or kernel module package (KMP)), you need to make sure that you have "# needssslcertforbuild" before the preamble. For example, look at line #17 here: https://build.opensuse.org/package/view_file/openSUSE:Factory/kernel-default... A couple of points to note: 1. If you (or a user) branch the kernel package, then build will fail because of missing SSL certificate. In that case, you need to remove "# needssslcertforbuild" line from the spec file. 2. From what I've seen (I could be wrong though) local builds might fail. From the code that I've read, only bs_worker understands needssslcertforbuild. If you want to solve this, then you might have to package the certificate file along with package sources. Hope this helps. Regards, Srinidhi. [1] https://lists.opensuse.org/opensuse-buildservice/2020-04/msg00047.html
Hi, Am 20.04.20 um 20:19 schrieb Srinidhi B:
Yes, this is why I had requested [1] you to run "osc signkey --sslcert --create" command. This will create a SSL certificate for your project where you want to build your kernel / kernel module packages. is it possible to have a global SSL certificate like I do have already with the GPG key ?
will this command also create a GPG key for that project or only the SSL certificate ? Why do 'kernel stuff' need to have a x509 cert for signing, while for other packages it is fine to have just a GPG key ? -- Christian ------------------------------------------------------------ https://join.worldcommunitygrid.org?recruiterId=177038 ------------------------------------------------------------ http://www.sc24.de - Sportbekleidung ------------------------------------------------------------
Hi Christian, On Mon, 2020-04-20 at 20:58 +0200, Christian wrote:
Hi,
Am 20.04.20 um 20:19 schrieb Srinidhi B:
Yes, this is why I had requested [1] you to run "osc signkey --sslcert -- create" command. This will create a SSL certificate for your project where you want to build your kernel / kernel module packages.
is it possible to have a global SSL certificate like I do have already with the GPG key ?
Not unless you use BSConfig::project_sign setting. You could do one thing (although, I'm not sure whether this is a good recommendation): As I already shared which files are necessary per project, just copy your global key as /srv/obs/projects/$PROJECT.pkg/_pubkey and similarly, your certificate as _sslkey. Do remember that you need to do this for *each* project where you are building kernel stuff.
will this command also create a GPG key for that project or only the SSL certificate ?
It won't create a GPG key pair if you already have a GPG key (that _pubkey file) for that project. The SSL certificate is *signed* using your GPG pubkey. Hence, a GPG key pair is created if it doesn't exist before creating a SSL certificate.
Why do 'kernel stuff' need to have a x509 cert for signing, while for other packages it is fine to have just a GPG key ?
It is needed by pesign (the "second build" that you observed earlier) to sign the kernel (and kernel modules) with the same key so that kernel is not tainted when booting in secure mode (or even in case of trusted boot). Regards, Srinidhi.
Hi Srinidhi, Am 20.04.20 um 21:41 schrieb Srinidhi B:
Hi Christian,
is it possible to have a global SSL certificate like I do have already with the GPG key ?
Not unless you use BSConfig::project_sign setting. Not sure what you mean, but currently using (BSConfig.pm:
#No package signing server our $sign = "/usr/bin/sign"; #Extend sign call with project name as argument "--project $NAME" #our $sign_project = 1; #Global sign key our $keyfile = "/srv/obs/Wittmer_Software.asc"; our $gpg_standard_key = "/srv/obs/Wittmer_Software.asc";
You could do one thing (although, I'm not sure whether this is a good recommendation):
As I already shared which files are necessary per project, just copy your global key as /srv/obs/projects/$PROJECT.pkg/_pubkey and similarly, your certificate as _sslkey. Do remember that you need to do this for *each* project where you are building kernel stuff.
will this command also create a GPG key for that project or only the SSL certificate ?
It won't create a GPG key pair if you already have a GPG key (that _pubkey file) for that project. The SSL certificate is *signed* using your GPG pubkey. Hence, a GPG key pair is created if it doesn't exist before creating a SSL certificate.
based on my above config I guess that's why I don't have a '_pubkey' there and further guessing that this project will then get a new 'project based' GPG and SSL key/cert How can I achieve that every built package (except the kernel stuff) is signed by my global GPG key ?
Why do 'kernel stuff' need to have a x509 cert for signing, while for other packages it is fine to have just a GPG key ?
It is needed by pesign (the "second build" that you observed earlier) to sign the kernel (and kernel modules) with the same key so that kernel is not tainted when booting in secure mode (or even in case of trusted boot).
I guess the SSL cert is a 'self-signed' one ... how is it trustworthy later ? -- Christian ------------------------------------------------------------ https://join.worldcommunitygrid.org?recruiterId=177038 ------------------------------------------------------------ http://www.sc24.de - Sportbekleidung ------------------------------------------------------------
Hi Christian, On Tue, 2020-04-21 at 09:17 +0200, Christian wrote:
Not unless you use BSConfig::project_sign setting.
Not sure what you mean, but currently using (BSConfig.pm:
#No package signing server our $sign = "/usr/bin/sign"; #Extend sign call with project name as argument "--project $NAME" #our $sign_project = 1;
Oops! I actually meant, $sign_project.
based on my above config I guess that's why I don't have a '_pubkey' there and further guessing that this project will then get a new 'project based' GPG and SSL key/cert
As I mentioned earlier, you could copy your /srv/obs/Wittmer_Software.asc over to /srv/obs/projects/$PROJECT.pkg/_pubkey and then run "osc signkey --sslcert -- create $PROJECT" to create a _sslcert file signed using the _pubkey. BTW, you still need to make sure that all your projects have a _pubkey file in their corresponding /srv/obs/projects/$PROJECT.pkg/ directory or else, local builds using "osc build" will fail when RPMs are verified. This is what we have to do for every new project we create.
How can I achieve that every built package (except the kernel stuff) is signed by my global GPG key ?
In the same project? Not possible, from what I know. You could however, build kernel stuff in a separate project and use those binaries in your package.
I guess the SSL cert is a 'self-signed' one ... how is it trustworthy later ?
Disclaimer: I'm not an expert. I could be saying something incomplete and even incorrect. For this to work correctly, you need to build the entire bootloader stack - shim, grub2, kernel, etc. - with your SSL certificate. For secure boot to succeed, your SSL certificate will need to be signed by Microsoft - as explained by coolo on the other thread [1]. But adding your "self-signed" certificate to EFI's shell (using MOKUtil), at least, lets everything above the EFI shell know that it can be trusted - to some extent. Regards, Srinidhi. [1] https://lists.opensuse.org/opensuse-buildservice/2020-04/msg00080.html
Am Montag, 20. April 2020, 20:58:12 CEST schrieb Christian:
Hi,
Am 20.04.20 um 20:19 schrieb Srinidhi B:
Yes, this is why I had requested [1] you to run "osc signkey --sslcert --create" command. This will create a SSL certificate for your project where you want to build your kernel / kernel module packages.
is it possible to have a global SSL certificate like I do have already with the GPG key ?
This is the gap, that I've tried to close.
will this command also create a GPG key for that project or only the SSL certificate ?
It will create both, an consequently revert your global GPG key settings. This is the reason, why I'm *unhappy* with this procedure.
Why do 'kernel stuff' need to have a x509 cert for signing, while for other packages it is fine to have just a GPG key ?
It's because of the shim/mokutil security circus, I guess.. Pete -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
participants (4)
-
Andreas Schwab -
Christian -
Hans-Peter Jansen -
Srinidhi B