Signing built RPMs or how to create signed RPMs.
Josh Boyer
jwboyer at gmail.com
Tue Dec 14 13:26:09 UTC 2010
On Tue, Dec 14, 2010 at 8:20 AM, Christos Triantafyllidis
<ctria at grid.auth.gr> wrote:
> Hi Josh, all,
>
> i'm reading this thread and i think that i've missed some point. What is the purpose of signing an RPM if you sign it on an online machine? I haven't seen the sign_unsigned.py source yet but i guess what should be there is a mechanism that should download the unsigned RPMs, then a manual operation of RPM sign (possibly on an offline or at least access restricted node), and then another script to import the signed RPMs (or just the signatures).
sign_unsigned.py uses sigul under the covers to do the actual RPM signing.
> Am i seeing this from a wrong perspective? does Fedora really sign the RPMs online? I guess this gets even worse if the sign operation is done more efficiently, automatically after each koji build.
No, currently the signing is done on a secure node. There is a sigul
bridge that interfaces with sigul client requests and a secure node in
the datacenter that can only talk to that bridge. It is not
accessible via http, ssh, etc. The server signs the RPMs using the
keys.
Additionally, the server also generates those keys and stores them
locally. Authenticated users can request it sign an RPM with a
particular key, but those users don't actually have access to that key
at all. The gpg key never leaves the sigul server. This is much
better than what was previously done, as that required sending the
key(s) to trusted individuals on multiple machines.
josh
More information about the buildsys
mailing list