[opensuse-buildservice] Package signing keys
Hi all, we're using on own deployment of the Open Build Service to package our software. Unfortunately we used a very weak key in the past, to sign our packages. This key is stored within GPG of the root user of the deployment. We like to increase now the security with this package signing key. Currently we're using a 1024 bit RSA key and we would like to use a 4096 bit RSA key as other mechanisms do not be seem to be supported on the Linux distributions we want to build packages for. Is there a possibility to store two package signing keys in the root user of the deployment and select then for some project one of both keys? This would allow us to still maintain old releases of our software with patches - built always in separate projects - with the old package signing key while we can sign packages of a new release with a 4096 bit RSA key. I read about the possibility to create a key for a project but we need a key for several projects. Is this possible somehow? -- kind regards, Marcus Klein Release Management Cell: +49 151 64908963 Phone: +49 2761 75252 00 Fax: +49 2761 75252 30 Email: marcus.klein@open-xchange.com ------------------------------------------------------------------------------------- Open-Xchange AG, Rollnerstr. 14, 90408 Nuremberg, District Court Nuremberg HRB 24738 Managing Board: Rafael Laguna de la Vera, Carsten Dirks, Michael Knapstein, Stephan Martin Chairman of the Board: Richard Seibt European Office: Open-Xchange GmbH, Olper Huette 5f, D-57462 Olpe, Germany, District Court Siegen, HRB 8718 Managing Director: Frank Hoberg US Office: Open-Xchange. Inc., 530 Lytton Avenue, Palo Alto, CA 94301, USA -------------------------------------------------------------------------------------
On Wed, Apr 08, 2020 at 01:37:10PM +0200, Marcus Klein wrote:
we're using on own deployment of the Open Build Service to package our software. Unfortunately we used a very weak key in the past, to sign our packages. This key is stored within GPG of the root user of the deployment.
I assume this means that you have one key for every project in the build service.
We like to increase now the security with this package signing key. Currently we're using a 1024 bit RSA key and we would like to use a 4096 bit RSA key as other mechanisms do not be seem to be supported on the Linux distributions we want to build packages for.
Is there a possibility to store two package signing keys in the root user of the deployment and select then for some project one of both keys? This would allow us to still maintain old releases of our software with patches - built always in separate projects - with the old package signing key while we can sign packages of a new release with a 4096 bit RSA key. I read about the possibility to create a key for a project but we need a key for several projects. Is this possible somehow?
You can use a custum sign script to do that. Change your BSConfig.pm to include: our $sign = '/path/to/your/sign/script'; our $sign_project = 1; If $sign_project is set, $sign will be called with a --project option that contains the project name of the files that need to be signed. Your sign script could look like this: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #!/bin/bash if test "X$1" != "X--project" -o -z "$2" ; then echo "must have --project argument" >&2 exit 1 fi projid="$2" shift 2 if test "X$1" = X-P ; then # signing with a project specific key exec /usr/bin/sign "$@" fi args= case $projid in XXX*) args="-u somekey@somemail" ;; esac exec /usr/bin/sign $args "$@" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cheers, Michael. -- Michael Schroeder SUSE Software Solutions Germany GmbH mls@suse.de GF: Felix Imendoerffer HRB 36809, AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
participants (2)
-
Marcus Klein -
Michael Schroeder