Line 40: | Line 40: | ||
More info about certutil can be found here: | More info about certutil can be found here: | ||
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Tools/certutil | https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Tools/certutil | ||
* start by displaying the certificate nicknames, which comes in handy later: | |||
<pre> | |||
$ certutil -L -d ~/.sigul | |||
Certificate Nickname Trust Attributes | |||
SSL,S/MIME,JAR/XPI | |||
fedora-ca CT,, | |||
sigul-client-cert u,u,u | |||
</pre> | |||
The "fedora-ca" is fedora packager cert. | |||
The "sigul-client-cert" is the relevant signing certificate. | |||
These two certificates combined allow for the delegation of package signing tasks to trusted persons. | |||
NOTE: the fedora-ca is based on your packager cert, which is itself stored in the home directory: | |||
<pre> | |||
$ fedora-cert --verify | |||
Verifying Certificate | |||
cert expires: 2014-11-10 | |||
CRL Checking not implemented yet | |||
</pre> | |||
NOTE: If you are curious, you could do the above directly | |||
<pre> | |||
$ grep "Not After" .fedora.cert | |||
Not After : Nov 10 15:31:45 2014 GMT | |||
</pre> | |||
* | |||
<pre> | <pre> | ||
$ certutil -K -d ~/.sigul | $ certutil -K -d ~/.sigul | ||
Line 46: | Line 79: | ||
< 0> rsa ... <REDACTED> ... sigul-client-cert | < 0> rsa ... <REDACTED> ... sigul-client-cert | ||
< 1> rsa ... <REDACTED> ... sigul-client-cert | < 1> rsa ... <REDACTED> ... sigul-client-cert | ||
certutil -O -n sigul-client-cert -d ~/.sigul | |||
"fedora-ca" [E=admin@fedoraproject.org,CN=Fedora Project CA,OU=Fedora Project CA,O=Fedora Project,L=Raleigh,ST=North Carolina,C=US] | |||
"sigul-client-cert" [E=jdisnard@gmail.com,CN=parasense,OU=Fedora User Cert,O=Fedora Project,ST=North Carolina,C=US] | |||
</pre> | |||
<pre> | |||
</pre> | </pre> |
Revision as of 20:57, 27 July 2014
signing notes
$ sigul --help-commands delete-key Delete a key modify-key-user Modify user's key access list-users List users grant-key-access Grant key access to a user sign-text Output a cleartext signature of a text import-key Import a key new-user Add a user sign-rpm Sign a RPM list-keys List keys sign-data Create a detached signature revoke-key-access Revoke key acess from a user user-info Show information about a user change-passphrase Change key passphrase list-key-users List users that can access a key new-key Add a key modify-user Modify a user sign-rpms Sign one or more RPMs modify-key Modify a key delete-user Delete a user key-user-info Show information about user's key access get-public-key Output public part of the key
- Adding passphrase to signing key.
NSS_HASH_ALG_SUPPORT=+MD5 sigul --verbose --user-name=parasense change-passphrase epel-7
- Inspecting the NSS database with certutil
More info about certutil can be found here: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Tools/certutil
- start by displaying the certificate nicknames, which comes in handy later:
$ certutil -L -d ~/.sigul Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI fedora-ca CT,, sigul-client-cert u,u,u
The "fedora-ca" is fedora packager cert. The "sigul-client-cert" is the relevant signing certificate. These two certificates combined allow for the delegation of package signing tasks to trusted persons.
NOTE: the fedora-ca is based on your packager cert, which is itself stored in the home directory:
$ fedora-cert --verify Verifying Certificate cert expires: 2014-11-10 CRL Checking not implemented yet
NOTE: If you are curious, you could do the above directly
$ grep "Not After" .fedora.cert Not After : Nov 10 15:31:45 2014 GMT
$ certutil -K -d ~/.sigul certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> rsa ... <REDACTED> ... sigul-client-cert < 1> rsa ... <REDACTED> ... sigul-client-cert certutil -O -n sigul-client-cert -d ~/.sigul "fedora-ca" [E=admin@fedoraproject.org,CN=Fedora Project CA,OU=Fedora Project CA,O=Fedora Project,L=Raleigh,ST=North Carolina,C=US] "sigul-client-cert" [E=jdisnard@gmail.com,CN=parasense,OU=Fedora User Cert,O=Fedora Project,ST=North Carolina,C=US]