sigul

Josh Boyer jwboyer at gmail.com
Thu Feb 5 16:09:48 UTC 2009


On Thu, Feb 05, 2009 at 07:31:09AM -0800, Jesse Keating wrote:
>On Thu, 2009-02-05 at 08:33 -0500, Josh Boyer wrote:
>> So, what's needed to really get sigul up and running?
>> 
>> mitr has the code in what appears to be pretty good shape.  I
>> can certainly install it a bit and play around with it here on
>> some KVM guests locally, but that isn't going to further us
>> very much other than getting some more testing.
>> 
>> I know everyone is busy so if there are things I can do to help
>> this progress, just let me know.  I should have access to most
>> of the rel-eng and infrastructure machines, but I think we
>> might have some special requirements here for machines and I'm
>> not entirely sure what those are.
>
>We'll need a couple test guests from infra to deploy sigul.  Mitr and I
>had talked a bit about making it work on el5, not sure if that has been
>done or if our guests need to be a Fedora flavor.  Then we need to get

commit 05af277460ed4ac92d64b0ab50902d6b813937f1
Author: Miloslav Trmač <mitr at redhat.com>
Date:   Sun Jan 11 23:50:54 2009 +0100

    Modify to run on RHEL5.

So I guess so.

>the hub and signer setup and hooked into FAS.  Then we need to generate
>a test key.  This is where things get sticky.  For F11 we want a bigger
>dsa key so that we can sign with a big enough bit size.  Unfortunately
>koji is not ready to accept such keys and we have to wait for a new koji
>roll out (coming soon).  In the meantime we can generate some test keys
>of smaller size, to match those we're using in f9/f10 (I'm not quite
>comfortable giving out the f9/f10 keys on the test systems just yet) so
>that we can test signing/importing/writing out with koji.

Test keys are fine for now.  It's getting stuff setup to play with that
is the important part I guess.

>Once those pathways are smooth, then its just a matter of getting more
>permanent resources in place.  There is another hardware key holder I
>want to look at, to use in conjunction with sigul to improve our key
>security but that may not be necessary or timely.

What happened with the original card thing you ordered that used a pin?
Anyway, that should be able to get phased in later, yes?

>If you wanted to drive some of this, I'd really appreciate it, as it
>would free me up to keep pounding on the automated QA work that I've
>been making promises about.

So from an infrastructure point of view, do we simply want to start
testing it out with a single guest running everything?  When I talked
to Mitr about it this morning, that is how he had been testing.  Or
would you rather get 2 guests in place, one for the server and one for
the bridge?

josh


More information about the rel-eng mailing list