On 12/14/10 5:20 AM, Christos Triantafyllidis wrote:
Hi Josh, all,
i'm reading this thread and i think that i've missed some point. What
is the purpose of signing an RPM if you sign it on an online machine?
The purpose of the signature is to provide something downstream
consumers can check to ensure that the build came from a Fedora source
control and the Fedora build system. We don't intend our signatures to
provide anything beyond that. The "online" machine in question is very
secure, as secure as we can reasonably make it with open source tools.
I'm not aware of a reasonable way to feed hundreds of thousands of rpms
into an /offline/ machine to sign them, and then cart all of them back
/off/ the offline machine and back onto a network.
Our package store, many TBs large, exists in a datacenter where the only
access is remote. This is a fact of our infrastructure and one that we
have to deal with. Creating sigul as Josh described is our effort to
secure the process as much as possible, while remaining a open project
that provides access to more than just Red Hat employees.
I haven't seen the sign_unsigned.py source yet but i guess what
should be there is a mechanism that should download the unsigned
RPMs, then a manual operation of RPM sign (possibly on an offline or
at least access restricted node), and then another script to import
the signed RPMs (or just the signatures).
You really should start reading the sources then. You've basically
described how sigul and sigulsign_unsigned works.
The sigulsign_unsigned script takes in options and data such as what
builds to sign, or what koji tag to sign, and what key to use. It will
prompt you for your personal passphrase for a particular key (every user
has their own, nobody knows the real key passphrase). This data is
passed along to the sigul bridge which is semi-restricted. The bridge
operates against our account system to validate user certs, and with the
"vault" which is a very secure and limited access machine where the
actual gpg keys live. The bridge fetches the unsigned rpms, passes them
to the vault. The vault signs them and passes back the signed header,
which the bridge will import into koji.
Am i seeing this from a wrong perspective? does Fedora really sign
the RPMs online? I guess this gets even worse if the sign operation
is done more efficiently, automatically after each koji build.
If "online" matches the above, then yes. And we are moving to a point
where we can sign each package as it completes a build in koji. The
only "worse" part is that we'd have one more extremely limited access
machine with cached credentials to a "buildsystem" key so that it can
detect a finished build, enact a sign+import of said build. As I stated
before the GPG key is only intended to validate that the build happened
in an "official" way on "official" Fedora resources. Nothing beyond
I hope i don't sound offensive, but these were my thoughts as i
want/need to implement something like this in our local koji
installation and i hoped that you were using something more
Fedora -- Freedom² is a feature!