Mailinglist Archive: opensuse-buildservice (45 mails)

< Previous Next >
Re: [opensuse-buildservice] [obs-signd] need advice about gpg key generation
Great thanks!
Now I understand how obs-signd used in OBS :) .

On 09/09/2014 02:14 PM, Michael Schroeder wrote:
<skipped>


Makes sense. We do it a bit different in OBS, though. We don't store
the users' secret keys on our sign server, but instead encrypt them
with a dedicated OBS key. The advantage is that the encrypted private
keys can be stored and backuped like regular data, as you need
access to the secret OBS key to decrypt them (which is only stored
on the sign server).
The disadvantage is that an intruder can use any stored key to sign
rpms (but he can't copy the private key away and do more damage).

So for build.opensuse.org we actually have two security levels. For
most things we store the encrypted private key on the host, but
there are a couple of keys like the opensuse key that are only
stored in the sign server (and were created manually).

Example:(copr@xxxxxxxxxxx is the dedicated key that needs to exist
on the sign host)

* create a new key:
[@host-1]:# sign -u copr@xxxxxxxxxxx -P foo.priv -g rsa@2048 800 foo
foo@xxxxxxxxxxx > foo.pub
* sign rpm:
[@host-1]:# sign -u copr@xxxxxxxxxxx -P foo.priv target.rpm

Additional question:
Do we really need to protect keys with passhrases on [host-0]?
Private keys should never leave keyring at that machine.

I don't think you need passphrases. They don't help much if they
can be read from the filesystem anyway...

Cheers,
Michael.


--
Best regards,
Gologuzov Valentin.
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >