Mailinglist Archive: opensuse-buildservice (349 mails)

< Previous Next >
Re: [opensuse-buildservice] How can i setup package signing on local obs?
  • From: Michael Schroeder <mls@xxxxxxx>
  • Date: Fri, 23 Nov 2007 16:15:22 +0100
  • Message-id: <20071123151522.GA17868@xxxxxxx>
On Fri, Nov 23, 2007 at 03:41:34PM +0100, Carsten Schoene wrote:

can someone explain how to setup the signd & sign program on a local bs setup?

I got the daemon running, and the sign program connects but than hangs,
while the signd starts some subprocesses and nothing happens.

Hmm, it shouldn't hang, might be some obscure bug in signd.

I'm not sure where to place the key files used for signing, maybe someone
can bring some light into the darkness ;)

The setup is like this:

You have a host where the build service runs on and another host
(high security) that only runs the signd deamon and nothing else.
This host is typically on some dedicated network so that it can
only be reached by the build service. And sshd and the like is
turned of, so that you need console access if you want in.
This is because the host contains the private keys plus the
passphrases, you do not want that someone can obtain this
sensitive information.

Configuration is like this

/etc/sign.conf for the build service host:

server: <private ip>
user: buildservice@xxxxxxxxxx
allowuser: bsrun

/etc/sign.conf for the sign server:

allow: <ip of build service>
phrases: /root/.phrases

The /root/.phrases directory should contain a "buildservice@xxxxxxxxxx"
file containing the needed passphrase.
The installed gpg must include the "patches-are-digest" patch, gpg
from SL10.2 works. (Unfortunately 10.3 ships with gpg2, which doesn't
include the patch yet.)


Michael Schroeder mls@xxxxxxx
SUSE LINUX Products GmbH, GF Markus Rex, HRB 16746 AG Nuernberg
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups