[opensuse-buildservice] Package/Product/Repository Signing
All, I have been working to get all of the signing capabilities working on a local OBS instance. Are there any notes or documents anyone could share on getting this working? Most of the material I have found is simply an outline. I have also tested against a home project in the public instance and it's unclear how the osc signkey --create should be working since I get either a zero or 256 return code but no changes are made to the keys. Thx Steve -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Hey, On 04.05.2017 18:51, Steve Hertz wrote:
I have been working to get all of the signing capabilities working on a local OBS instance. Are there any notes or documents anyone could share on getting this working?
man sign man signd man sign.conf have helped me a lot recently... Henne -- Henne Vogelsang http://www.opensuse.org Everybody has a plan, until they get hit. - Mike Tyson -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
All, Thanks for the pointers here is where I'm at. I started to make changes in the local OBS because firefox 53 and chrome 58 no longer allow self signed certificates to be used. They have eliminated the option of adding security exceptions as a work around in their latest version. It's a good change from a security perspective but that impacted the interface to the repositories etc. I made all of those changes using an "unpublished" root certificate and certificate bundle so it doesn't add cost to running the OBS instance. I have delayed making changes to the key management as long as possible but I need to tighten down security and not put it off any longer. I created scripts that build all of the keys I need and modified the BSConfig.pm, sign.conf etc. Using gpg the key ids etc seem to be correct and install into the standard OBS phrases but I may have missed something the OBS checks. It looks like the obssignd comes up and runs properly with no issues using "systemctl status obssignd". One of the problems left is the obssigner. It simply fails with no indication of why, I have probably misconfigured something in all of the changes. I'm using "systemctl status obssigner" and starting to dig through the code for bs_signer. I'm open to suggestions on what might be wrong to get this done faster since package builds now hang in the signing process. The next issue will be adding links to download and manage different keys for each part of the deployment process. This section didn't go out to the list, operator error. ---------------------------------------------- The problem I found was the BSConfig.pm didn't copy correctly and the line our $sign = "/usr/bin/sign --project $NAME"; was missing. It would be a great help if bs_signer line 598 had something like die("sign program is not configured!\nCheck BSConfig:sign=\n") unless $BSConfig::sign;. In BSConfig.pm the comment says to add "our $sign = "/usr/bin/sign --project $NAME";", when configured this way the signer.log shows "Use of uninitialized value $BSConfig::NAME in concatenation (.) or string at /usr/lib/obs/server/BSConfig.pm line 153". Any idea what is the proper way to configure BSConfig.pm to support package, product and repository signing? So I took out that line and used "our $sign = "/usr/bin/sign" I tried to force a rebuild of all the packages in the OBS to ensure they were resigned by one of the new keys. $ osc rebuildpac --all In the signer log I get the following messages back to back. signing x86_64/{packagename}-e31bbd4d739a3637d3fc343a831c70e4 usage: sign [-c|-d|-r] [-u user] <file> I'm not sure where the configuration is failing. Any thoughts? Thx Steve On 5/5/2017 4:04 AM, Henne Vogelsang wrote:
Hey,
On 04.05.2017 18:51, Steve Hertz wrote:
I have been working to get all of the signing capabilities working on a local OBS instance. Are there any notes or documents anyone could share on getting this working?
man sign man signd man sign.conf
have helped me a lot recently...
Henne
-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Freitag, 5. Mai 2017, 09:39:54 CEST wrote Steve Hertz: ...
In BSConfig.pm the comment says to add "our $sign = "/usr/bin/sign --project $NAME";", when configured this way the signer.log shows "Use of uninitialized value $BSConfig::NAME in concatenation (.) or string at /usr/lib/obs/server/BSConfig.pm line 153". Any idea what is the proper way to configure BSConfig.pm to support package, product and repository signing? So I took out that line and used "our $sign = "/usr/bin/sign"
That is correct and our default. The --project option is only useful when using wrapper scripts. This configuration should be enough to do the signing, but test manually using "sign" command as obsrun user to verify that it works. -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
participants (3)
-
Adrian Schröter
-
Henne Vogelsang
-
Steve Hertz