On Tue, Dec 14, 2010 at 8:20 AM, Christos Triantafyllidis
Hi Josh, all,
i'm reading this thread and i think that i've missed some point. What is the
purpose of signing an RPM if you sign it on an online machine? I haven't seen the
sign_unsigned.py source yet but i guess what should be there is a mechanism that should
download the unsigned RPMs, then a manual operation of RPM sign (possibly on an offline or
at least access restricted node), and then another script to import the signed RPMs (or
just the signatures).
sign_unsigned.py uses sigul under the covers to do the actual RPM signing.
Am i seeing this from a wrong perspective? does Fedora really sign
the RPMs online? I guess this gets even worse if the sign operation is done more
efficiently, automatically after each koji build.
No, currently the signing is done on a secure node. There is a sigul
bridge that interfaces with sigul client requests and a secure node in
the datacenter that can only talk to that bridge. It is not
accessible via http, ssh, etc. The server signs the RPMs using the
Additionally, the server also generates those keys and stores them
locally. Authenticated users can request it sign an RPM with a
particular key, but those users don't actually have access to that key
at all. The gpg key never leaves the sigul server. This is much
better than what was previously done, as that required sending the
key(s) to trusted individuals on multiple machines.