Package/Product/Repository Signing

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Package/Product/Repository Signing

Steve Hertz
All,

I have been working to get all of the signing capabilities working on a
local OBS instance. Are there any notes or documents anyone could share
on getting this working? Most of the material I have found is simply an
outline. I have also tested against a home project in the public
instance and it's unclear how the osc signkey --create should be working
since I get either a zero or 256 return code but no changes are made to
the keys.

Thx

Steve

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Package/Product/Repository Signing

Henne Vogelsang-2
Hey,

On 04.05.2017 18:51, Steve Hertz wrote:

> I have been working to get all of the signing capabilities working on a
> local OBS instance. Are there any notes or documents anyone could share
> on getting this working?

man sign
man signd
man sign.conf

have helped me a lot recently...

Henne

--
Henne Vogelsang
http://www.opensuse.org
Everybody has a plan, until they get hit.
        - Mike Tyson
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Package/Product/Repository Signing

Steve Hertz
All,

Thanks for the pointers here is where I'm at. I started to make changes
in the local OBS because firefox 53 and chrome 58 no longer allow self
signed certificates to be used. They have eliminated the option of
adding security exceptions as a work around in their latest version.
It's a good change from a security perspective but that impacted the
interface to the repositories etc. I made all of those changes using an
"unpublished" root certificate and certificate bundle so it doesn't add
cost to running the OBS instance. I have delayed making changes to the
key management as long as possible but I need to tighten down security
and not put it off any longer.

I created scripts that build all of the keys I need and modified the
BSConfig.pm, sign.conf etc. Using gpg the key ids etc seem to be correct
and install into the standard OBS phrases but I may have missed
something the OBS checks. It looks like the obssignd comes up and runs
properly with no issues using "systemctl status obssignd". One of the
problems left is the obssigner. It simply fails with no indication of
why, I have probably misconfigured something in all of the changes.  I'm
using "systemctl status obssigner"  and starting to dig through the code
for bs_signer. I'm open to suggestions on what might be wrong to get
this done faster since package builds now hang in the signing process.
The next issue will be adding links to download and manage different
keys for each part of the deployment process.

This section didn't go out to the list, operator error.

----------------------------------------------
The problem I found was the BSConfig.pm didn't copy correctly and the line our $sign = "/usr/bin/sign --project $NAME"; was missing. It would be a great help if bs_signer line 598 had something like die("sign program is not configured!\nCheck BSConfig:sign=\n") unless $BSConfig::sign;.

In BSConfig.pm the comment says to add "our $sign = "/usr/bin/sign --project $NAME";", when configured this way the signer.log shows "Use of uninitialized value $BSConfig::NAME in concatenation (.) or string at /usr/lib/obs/server/BSConfig.pm line 153". Any idea what is the proper way to configure BSConfig.pm to support package, product and repository signing? So I took out that line and used "our $sign = "/usr/bin/sign"

I tried to force a rebuild of all the packages in the OBS to ensure they were resigned by one of the new keys.
$ osc rebuildpac --all

In the signer log I get the following messages back to back.
signing x86_64/{packagename}-e31bbd4d739a3637d3fc343a831c70e4
usage: sign [-c|-d|-r] [-u user] <file>

I'm not sure where the configuration is failing. Any thoughts?

Thx
Steve


On 5/5/2017 4:04 AM, Henne Vogelsang wrote:

> Hey,
>
> On 04.05.2017 18:51, Steve Hertz wrote:
>
>> I have been working to get all of the signing capabilities working on a
>> local OBS instance. Are there any notes or documents anyone could share
>> on getting this working?
>
> man sign
> man signd
> man sign.conf
>
> have helped me a lot recently...
>
> Henne
>

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Package/Product/Repository Signing

Adrian Schröter
On Freitag, 5. Mai 2017, 09:39:54 CEST wrote Steve Hertz:
...
> In BSConfig.pm the comment says to add "our $sign = "/usr/bin/sign --project $NAME";", when configured this way the signer.log shows "Use of uninitialized value $BSConfig::NAME in concatenation (.) or string at /usr/lib/obs/server/BSConfig.pm line 153". Any idea what is the proper way to configure BSConfig.pm to support package, product and repository signing? So I took out that line and used "our $sign = "/usr/bin/sign"

That is correct and our default. The --project option is only useful when
using wrapper scripts.

This configuration should be enough to do the signing, but test
manually using "sign" command as obsrun user to verify that it works.


--

Adrian Schroeter
email: [hidden email]

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
 
Maxfeldstraße 5                        
90409 Nürnberg
Germany


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]