[opensuse-buildservice] Exporting OBS Package Signing Key
Hi, hoping somebody on the list can help me with a problem I'm trying to solve. I am currently using OBS to build RPMs for a variety of architectures I need to support. However, I also have some RPMs that are built by Jenkins. Ideally, I would like to be able to have the packages built by Jenkins signed using the private GPG key in use under OBS and collect them under a single YUM repo. I have found what I believe to be the signing (private GPG) key on OBS: /obs/projects/<my-project>/_signkey However, it is not in the format I expected (i.e. with a '-----BEGIN PGP PRIVATE KEY BLOCK-----' header followed by a chunk of base64; it is simply a long string of hexadecimal chars. So, this has left me with two questions: 1. Is this indeed the OBS key used to sign my RPMs under this project? 2. If so, how can I export this _signkey to a GPG format I can use with rpm --addsign? Any help would be greatly appreciated. Many Thanks -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Freitag, 30. Januar 2015, 08:41:57 wrote Nick Walter:
Hi, hoping somebody on the list can help me with a problem I'm trying to solve.
I am currently using OBS to build RPMs for a variety of architectures I need to support. However, I also have some RPMs that are built by Jenkins. Ideally, I would like to be able to have the packages built by Jenkins signed using the private GPG key in use under OBS and collect them under a single YUM repo. I have found what I believe to be the signing (private GPG) key on OBS:
/obs/projects/<my-project>/_signkey
However, it is not in the format I expected (i.e. with a '-----BEGIN PGP PRIVATE KEY BLOCK-----' header followed by a chunk of base64; it is simply a long string of hexadecimal chars. So, this has left me with two questions:
1. Is this indeed the OBS key used to sign my RPMs under this project?
yes, but it is encrypted itself with the OBS master key. (allows to keep the master key on a special protected system, but you can still backup the backend server with the keys).
2. If so, how can I export this _signkey to a GPG format I can use with rpm --addsign?
decrypt it with your instance master key -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Fri, Jan 30, 2015 at 09:56:28AM +0100, Adrian Schröter wrote:
On Freitag, 30. Januar 2015, 08:41:57 wrote Nick Walter:
Hi, hoping somebody on the list can help me with a problem I'm trying to solve.
I am currently using OBS to build RPMs for a variety of architectures I need to support. However, I also have some RPMs that are built by Jenkins. Ideally, I would like to be able to have the packages built by Jenkins signed using the private GPG key in use under OBS and collect them under a single YUM repo. I have found what I believe to be the signing (private GPG) key on OBS:
/obs/projects/<my-project>/_signkey
However, it is not in the format I expected (i.e. with a '-----BEGIN PGP PRIVATE KEY BLOCK-----' header followed by a chunk of base64; it is simply a long string of hexadecimal chars. So, this has left me with two questions:
1. Is this indeed the OBS key used to sign my RPMs under this project?
yes, but it is encrypted itself with the OBS master key. (allows to keep the master key on a special protected system, but you can still backup the backend server with the keys).
2. If so, how can I export this _signkey to a GPG format I can use with rpm --addsign?
decrypt it with your instance master key
You could also use the OBS sign binary instead of rpm --addsign. Cheers, Michael -- Michael Schroeder mls@suse.de SUSE LINUX GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Thanks for the response, Adrian. I'm afraid I'm not quite over the line with this problem and hoping you can clear up the remaining issues I have. Using the information at this link [https://en.opensuse.org/openSUSE:Build_Service_Signer], I have examined the following files on our OBS host and included what I believe to be the relevant lines below: ### /usr/lib/obs/server/BSConfig.pm ### #No package signing server our $sign = "/usr/bin/sign"; #Extend sign call with project name as argument "--project $NAME" #our $sign_project = 1; #Global sign key our $keyfile = "/obs/obs-default-gpg.asc"; #Create a key by default for new projects, if top level have not one our $forceprojectkeys = 1; ### /etc/sign.conf ### user: defaultkey@localobs server: 127.0.0.1 allowuser: obsrun allow: 127.0.0.1 phrases: /obs/gnupg/phrases Based on the configuration in /etc/sign.conf, I located the GPG key with the matching e-mail (defaultkey@localobs) and attempted to decrypt the desired project signing key: $ gpg --homedir /obs/gnupg --decrypt _signkey gpg: no valid OpenPGP data found. gpg: decrypt_message failed: Unknown system error My experience with GPG is limited, but the error to me suggests that the file is not of the format expected. As mentioned in my last post, the content of the _signkey is simply a long string of hexadecimal chars: $ file _signkey _signkey: ASCII text, with very long lines Whereas the output of a test file encrypted with the above GPG key produces the following file output: $ file test.gpg test.gpg: data To compound the problem, despite the clues in the configuration files, I'm not sure that the key I have located is in fact the master key. The content of the public key '/obs/obs-default-gpg.asc' ($keyfile listed in /usr/lib/obs/serverBSConfig.pm) differs from the public key exported from what I believe should be the master signing key (user: defaultkey@localobs listed in /etc/sign.conf): gpg --homedir /obs/gnupg --export --armor defaultkey@localobs Apologies if I am missing something obvious. Any further help would be greatly appreciated. Thanks On Fri, Jan 30, 2015 at 8:56 AM, Adrian Schröter <adrian@suse.de> wrote:
On Freitag, 30. Januar 2015, 08:41:57 wrote Nick Walter:
Hi, hoping somebody on the list can help me with a problem I'm trying to solve.
I am currently using OBS to build RPMs for a variety of architectures I need to support. However, I also have some RPMs that are built by Jenkins. Ideally, I would like to be able to have the packages built by Jenkins signed using the private GPG key in use under OBS and collect them under a single YUM repo. I have found what I believe to be the signing (private GPG) key on OBS:
/obs/projects/<my-project>/_signkey
However, it is not in the format I expected (i.e. with a '-----BEGIN PGP PRIVATE KEY BLOCK-----' header followed by a chunk of base64; it is simply a long string of hexadecimal chars. So, this has left me with two questions:
1. Is this indeed the OBS key used to sign my RPMs under this project?
yes, but it is encrypted itself with the OBS master key. (allows to keep the master key on a special protected system, but you can still backup the backend server with the keys).
2. If so, how can I export this _signkey to a GPG format I can use with rpm --addsign?
decrypt it with your instance master key
--
Adrian Schroeter email: adrian@suse.de
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany
-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Fri, Jan 30, 2015 at 8:56 AM, Adrian Schröter <adrian@suse.de> wrote:
On Freitag, 30. Januar 2015, 08:41:57 wrote Nick Walter:
Hi, hoping somebody on the list can help me with a problem I'm trying to solve.
I am currently using OBS to build RPMs for a variety of architectures I need to support. However, I also have some RPMs that are built by Jenkins. Ideally, I would like to be able to have the packages built by Jenkins signed using the private GPG key in use under OBS and collect them under a single YUM repo. I have found what I believe to be the signing (private GPG) key on OBS:
/obs/projects/<my-project>/_signkey
However, it is not in the format I expected (i.e. with a '-----BEGIN PGP PRIVATE KEY BLOCK-----' header followed by a chunk of base64; it is simply a long string of hexadecimal chars. So, this has left me with two questions:
1. Is this indeed the OBS key used to sign my RPMs under this project?
yes, but it is encrypted itself with the OBS master key. (allows to keep the master key on a special protected system, but you can still backup the backend server with the keys).
2. If so, how can I export this _signkey to a GPG format I can use with rpm --addsign?
decrypt it with your instance master key
--
Adrian Schroeter email: adrian@suse.de
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany
Hi, I would greatly appreciate it if someone could please explain to me the following: I understand the each project signing key is encrypted with the OBS master key. However, the project signing key (/obs/projects/<my-project>/_signkey) does not appear to be of an ASCII armoured nor binary OpenPGP format: it is simply a series of hexadecimal chars. How do I decrypt this key? I receive the following error when attempting to decrypt the project key with the master key: # gpg --homedir . --decrypt /obs/projects/my_project/_signkey gpg: no valid OpenPGP data found. gpg: decrypt_message failed: Unknown system error Is there some encoding applied to this file that I need to decode prior to decryption with GPG? Am I missing some option with my GPG invocation? I've scoured the web/mailing list/available documentation and hit a wall. Any clues? Thanks -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Nick Walter <smtp.nw@gmail.com> writes:
How do I decrypt this key? I receive the following error when attempting to decrypt the project key with the master key:
# gpg --homedir . --decrypt /obs/projects/my_project/_signkey gpg: no valid OpenPGP data found. gpg: decrypt_message failed: Unknown system error
Try this: $ perl -e '$_ = <>; $l = length($_)/2; print pack("H2" x $l, unpack("A2" x $l))' < /obs/projects/my_project/_signkey | gpg --homedir . --decrypt > signkey Andreas. -- Andreas Schwab, schwab@linux-m68k.org GPG Key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5 "And now for something completely different." -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
participants (4)
-
Adrian Schröter -
Andreas Schwab -
Michael Schroeder -
Nick Walter