(start setting up freamwork of page) |
(→repodata: add questions) |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 2: | Line 2: | ||
== Objective == | == Objective == | ||
Securely sign automatically, all of the different release artifacts that need to be signed | Securely sign automatically, all of the different release artifacts that need to be signed. | ||
== Use Cases == | == Use Cases == | ||
In addition to rpms that we sign today we need to be able to sign the following | |||
=== CHECKSUM Files === | === CHECKSUM Files === | ||
The checksum files are created by pungi. Whenever a compose is finished, a fedmsg pungi.compose.status.change is sent. The checksum files are only created for Rawhide and Branched images. | |||
We use a command like: | |||
# /mnt/fedora_koji is a NFS mount of ntap-phx2-c01-fedora01-nfs.storage.phx2.redhat.com:/fedora_koji | |||
BASE=/mnt/fedora_koji/compose | |||
# RELEASEVER is rawhide or branched | |||
# COMPOSSEID is a string like Fedora-23-20150607.n.9 | |||
for checksum in $(find $BASE/$RELEASEVER/$COMPOSEID/compose/ -name *CHECKSUM); | |||
do | |||
cat $checksum >/tmp/sum && NSS_HASH_ALG_SUPPORT=+MD5 sigul --batch sign-text -o /tmp/signed $KEY /tmp/sum $pass && chmod 644 /tmp/signed && sudo mv /tmp/signed $checksum | |||
done | |||
Ideally I think we pass in a compose, the signing box then finds and signs all CHECKSUMS. | |||
=== OStree repo commits === | === OStree repo commits === | ||
This needs further investigation, however it does need detached signatures. we need to evaluate how to add the commits to the ostree repo | |||
= | The commits might be signed with this script: https://pagure.io/releng/blob/master/f/scripts/push-two-week-atomic.py | ||
Taiga ticket: http://taiga.fedorainfracloud.org/project/acarter-fedora-docker-atomic-tooling/us/193?no-milestone=1 | |||
=== repodata === | === repodata === | ||
To provide an extra layer of protection for users, and verification for the openh264 repo we need to make detached signatures of repomd.xml | |||
for file in $(find ~/24-openh264-20160422 -name repomd.xml); do NSS_HASH_ALG_SUPPORT=+MD5 sigul sign-data fedora-24 $file -o $file.asc; chmod 644 $file.asc; done | |||
Open questions: | |||
Where is the repo stored? Which script creates the repo? Is there a Fedmsg event sent when the repo is done? | |||
== Signing interface == | |||
We need to have a way to request that something gets signed and determine how the signed things get written to disk | |||
== hardware == | |||
We have a physical box. The thinking is that the passwords for a sigul user will be stored on the box, that will only be accessible by serial console and only to a limited set of users. The service will proxy signing requests, possibly authenticating via ssl cert or fedmsg or some other method. |
Latest revision as of 16:05, 22 June 2016
Objective
Securely sign automatically, all of the different release artifacts that need to be signed.
Use Cases
In addition to rpms that we sign today we need to be able to sign the following
CHECKSUM Files
The checksum files are created by pungi. Whenever a compose is finished, a fedmsg pungi.compose.status.change is sent. The checksum files are only created for Rawhide and Branched images.
We use a command like:
# /mnt/fedora_koji is a NFS mount of ntap-phx2-c01-fedora01-nfs.storage.phx2.redhat.com:/fedora_koji BASE=/mnt/fedora_koji/compose # RELEASEVER is rawhide or branched # COMPOSSEID is a string like Fedora-23-20150607.n.9 for checksum in $(find $BASE/$RELEASEVER/$COMPOSEID/compose/ -name *CHECKSUM); do cat $checksum >/tmp/sum && NSS_HASH_ALG_SUPPORT=+MD5 sigul --batch sign-text -o /tmp/signed $KEY /tmp/sum $pass && chmod 644 /tmp/signed && sudo mv /tmp/signed $checksum done
Ideally I think we pass in a compose, the signing box then finds and signs all CHECKSUMS.
OStree repo commits
This needs further investigation, however it does need detached signatures. we need to evaluate how to add the commits to the ostree repo
The commits might be signed with this script: https://pagure.io/releng/blob/master/f/scripts/push-two-week-atomic.py
Taiga ticket: http://taiga.fedorainfracloud.org/project/acarter-fedora-docker-atomic-tooling/us/193?no-milestone=1
repodata
To provide an extra layer of protection for users, and verification for the openh264 repo we need to make detached signatures of repomd.xml
for file in $(find ~/24-openh264-20160422 -name repomd.xml); do NSS_HASH_ALG_SUPPORT=+MD5 sigul sign-data fedora-24 $file -o $file.asc; chmod 644 $file.asc; done
Open questions: Where is the repo stored? Which script creates the repo? Is there a Fedmsg event sent when the repo is done?
Signing interface
We need to have a way to request that something gets signed and determine how the signed things get written to disk
hardware
We have a physical box. The thinking is that the passwords for a sigul user will be stored on the box, that will only be accessible by serial console and only to a limited set of users. The service will proxy signing requests, possibly authenticating via ssl cert or fedmsg or some other method.