Hi Michael, is there a plan to provide "sign" with the obs-server RPM package ? I did get it only while extracting it from SOURCE. your talking about gpg2 and a patch. Do I have to build a newer gpg for SLES10 SP2 ? Thanks for your help Kind Regards Chris Michael Schroeder schrieb:
You have a host where the build service runs on and another host (high security) that only runs the signd deamon and nothing else. This host is typically on some dedicated network so that it can only be reached by the build service. And sshd and the like is turned of, so that you need console access if you want in. This is because the host contains the private keys plus the passphrases, you do not want that someone can obtain this sensitive information.
Configuration is like this
/etc/sign.conf for the build service host:
server: <private ip> user: buildservice@myhost.con allowuser: bsrun
/etc/sign.conf for the sign server:
allow: <ip of build service> phrases: /root/.phrases
The /root/.phrases directory should contain a "buildservice@myhost.com" file containing the needed passphrase. The installed gpg must include the "patches-are-digest" patch, gpg from SL10.2 works. (Unfortunately 10.3 ships with gpg2, which doesn't include the patch yet.)
Cheers, Michael.
The setup is like this:
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org