From Fedora Project Wiki

No edit summary
No edit summary
Line 1: Line 1:
{{admon/important|This page is deprecated| All Fedora Release Engineering Documentation has moved [https://docs.pagure.org/releng/ here] with source hosted along side the code in the [https://pagure.io/releng releng pagure repository]}}
{{admon/important|This page has moved [https://docs.pagure.org/releng/sop_sigul_client_setup.html here]| All Fedora Release Engineering Documentation has moved [https://docs.pagure.org/releng/ here] with source hosted along side the code in the [https://pagure.io/releng releng pagure repository]}}
 
This document describes how to configure a sigul client. For more information on sigul, please see [[User:Mitr]].
 
= Prerequisites =
 
<ul>
<li> Install '''sigul''' and its dependencies. It is available in both Fedora and EPEL:
<pre>
# yum install sigul
</pre></li>
<li>Ensure that your koji certificate and the Fedora CA certificates are present on the system that you're running the sigul client from at the following locations:
* <code>~/.fedora.cert</code>
* <code>~/.fedora-server-ca.cert</code>
* <code>~/.fedora-upload-ca.cert</code>
<li>admin privileges on koji are required to write signatures.
<li>If you are running RHEL 6, add 'export NSS_HASH_ALG_SUPPORT=+MD5' to your ~/.bashrc.</li>
</ul>
 
= Configuration =
 
<ol>
<li> Run '''sigul_setup_client'''
<li> Choose a password for your NSS database. '''By default this will be stored on-disk in ''~/.sigul/client.conf''.'''
<li> Choose an export password. You will only need to remember it until finishing sigul_setup_client.
<li> Enter the DB password you chose earlier, then the export password. You should see the message "pk12util: PKCS12 IMPORT SUCCESSFUL"
<li> Enter the DB password again. You should see the message "Done".
<li> Assuming that you are running the sigul client within phx2, edit ~/.sigul/client.conf to include the following lines:
<pre>
[client]
bridge-hostname: sign-bridge1
server-hostname: sign-vault1
</pre></li></ol>
 
== Configuration for Secondary Architectures ==
 
All steps remain the same, however you will need admin privileges on your secondary koji instance (not primary's). When editing ~/sigul/client.conf, use:
<pre>
[client]
bridge-hostname: secondary-signer
server-hostname: secondary-signer-server
 
[koji]
# Config file used to connect to the Koji hub
; koji-config: ~/.koji/config
# # Recognized alternative instances
koji-instances: ppc s390 arm
 
koji-config-ppc: /etc/koji/ppc-config
koji-config-s390: /etc/koji/s390-config
koji-config-arm: /etc/koji/arm-config
 
</pre>
 
= Updating your Fedora certificate =
 
When your Fedora certificate expires, after updating it run the following commands:
 
<pre>
$ certutil -d ~/.sigul -D -n sigul-client-cert
$ NSS_HASH_ALG_SUPPORT=+MD5 sigul_setup_client
</pre>
 
[[Category:Release Engineering SOPs]]

Revision as of 20:19, 31 March 2016

This page has moved here
All Fedora Release Engineering Documentation has moved here with source hosted along side the code in the releng pagure repository