On Wed, Apr 08, 2020 at 01:37:10PM +0200, Marcus Klein wrote:
we're using on own deployment of the Open Build Service to package our software. Unfortunately we used a very weak key in the past, to sign our packages. This key is stored within GPG of the root user of the deployment.
I assume this means that you have one key for every project in the build service.
We like to increase now the security with this package signing key. Currently we're using a 1024 bit RSA key and we would like to use a 4096 bit RSA key as other mechanisms do not be seem to be supported on the Linux distributions we want to build packages for.
Is there a possibility to store two package signing keys in the root user of the deployment and select then for some project one of both keys? This would allow us to still maintain old releases of our software with patches - built always in separate projects - with the old package signing key while we can sign packages of a new release with a 4096 bit RSA key. I read about the possibility to create a key for a project but we need a key for several projects. Is this possible somehow?
You can use a custum sign script to do that. Change your BSConfig.pm to include: our $sign = '/path/to/your/sign/script'; our $sign_project = 1; If $sign_project is set, $sign will be called with a --project option that contains the project name of the files that need to be signed. Your sign script could look like this: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #!/bin/bash if test "X$1" != "X--project" -o -z "$2" ; then echo "must have --project argument" >&2 exit 1 fi projid="$2" shift 2 if test "X$1" = X-P ; then # signing with a project specific key exec /usr/bin/sign "$@" fi args= case $projid in XXX*) args="-u somekey@somemail" ;; esac exec /usr/bin/sign $args "$@" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cheers, Michael. -- Michael Schroeder SUSE Software Solutions Germany GmbH mls@suse.de GF: Felix Imendoerffer HRB 36809, AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org