On Mon, 25 Mar 2019 at 14:17, Miroslav Suchý <msuchy(a)redhat.com> wrote:
Dne 21. 03. 19 v 13:57 Neal Gompa napsal(a):
> Forgive me, but what does sigul do that signd cannot? I'm unaware of
> any material differences between the two.
Sigul has very strong network isolation against the server and
protections on on-disk keys (which are useless without a user
passphrase), key binding against hardware (client and/or server-side),
supports PKCS11 modules via NSS for the transport layer, and very
strong auditing in its logs on what exactly has been signed/decrypted
When I started Copr I considered both Sigul and OBS signd. I spent several hours with
Mirek Trmač - original author of
Sigul and we talked about the pros and cons. It is several years, but IIRC:
Sigul allows better isolation. It even has its own transport layer. When you want to
generate new private key, the
procedure is very strict. (That was cons for Copr as we had to automate this step).
No one is using Sigul but Fedora and RHEL.
I would like to point out that this conclusion is wrong: there are
more parties using it, but not many of them are as well-known as
Fedora, and most of them do not (want to) publish about their usage of
I can even say it is upstream dead, there are only fixes which keep
(like Py3 migration).
Additionally, I would not call it dead since I took it over, given
that I've been adding new features to it over time.
There's not a huge set of new features people have been asking for, so
I've only been adding what I do hear about or need myself.
The cons of Sigul is that you must transfer whole file to Sigul,
Sigul will sign it and send whole file back. Quite
painful for some packages which are several hundred MB big. On the other hand this keeps
good track of the files which
were signed. OBS Sign get just checksum and sign the file base on the checksum. It is
OBS Signd is used by several projects. OBS and Copr are likely the biggest ones. It is
documented (Sigul not).
What kind of documentation are you missing? I'd like to point out that
the project README contains a reasonable set of instructions
on how to get it set up and how to use the most common operations.
> And it
> gets some enhancements over time - the pace is very slow, but better than Sigul.
> While OBS Signd was designed for OBS it is nicely isolated and can be used as
> My conlusion for Copr was - OBS Signd is secure enough for Copr so we rather
cooperate with other distribution on common
> project rather than keeping alive project with unknown future.
> infrastructure mailing list -- infrastructure(a)lists.fedoraproject.org
> To unsubscribe send an email to infrastructure-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: