Is there a way to passphrase protect my koji cert?
Nalin Dahyabhai
nalin at redhat.com
Tue Feb 14 17:38:29 UTC 2012
On Tue, Feb 14, 2012 at 09:33:31AM -0600, Bruno Wolff III wrote:
> While replacing my koji cert yesterday I was interested in adding a
> passphrase to slow down exploitation if my home desktop got compromised.
> I've look through some of the documentation for maintainers and I haven't
> seen any instructions on how to protect it with a passphrase. Is this
> possible? (In a way compatible with fedpkg and koji command line.)
At least partially.
Assuming you have your certificate and private key in ~/.fedora.cert:
awk '/BEGIN PRIVATE/,/END PRIVATE/' ~/.fedora.cert | \
openssl pkcs8 -topk8 >> ~/.fedora.cert
This selects the portion that is just the private key, pipes it through
OpenSSL to encrypt it and format it according to PKCS#8, and then
appends the result to the existing file. Then, you'd remove the
unencrypted copy of your private key:
sed -i '/BEGIN PRIVATE/,/END PRIVATE/d' ~/.fedora.cert
When I subsequently ran a koji administrative command, I got to enter my
passphrase a few times (and for some reason, while 'pkcs8' will accept
something fewer than four characters long for a new passphrase, that
requirement is also enforced -- somewhere -- when you run koji), and got
the expected denial.
I doubt it's going to be officially supported, but within limits it
seems to more or less work. If it breaks, though, you'll need to undo
it:
awk '/BEGIN ENCRYPTED/,/END ENCRYPTED/' ~/.fedora.cert | \
openssl pkcs8 >> ~/.fedora.cert
sed -i '/BEGIN ENCRYPTED/,/END ENCRYPTED/d' ~/.fedora.cert
HTH,
Nalin
More information about the devel
mailing list