From Fedora Project Wiki
(start setting up freamwork of page)
 
No edit summary
Line 2: Line 2:


== Objective ==
== Objective ==
Securely sign automatically, all of the different release artifacts that need to be signed
Securely sign automatically, all of the different release artifacts that need to be signed.


== Use Cases ==
== Use Cases ==
In addition to rpms that we sign today we need to be able to sign the following


=== CHECKSUM Files ===
=== CHECKSUM Files ===
We use a command like:
  for checksum in $(find $BASE/$RELEASEVER/$COMPOSEID/compose/ -name  *CHECKSUM);
  do
    cat $checksum >/tmp/sum && NSS_HASH_ALG_SUPPORT=+MD5 sigul --batch sign-text -o /tmp/signed $KEY /tmp/sum $pass && chmod 644 /tmp/signed && sudo mv /tmp/signed $checksum
  done
Ideally I think we pass in a compose, the signing box then finds and signs all CHECKSUMS.


=== OStree repo commits ===
=== OStree repo commits ===
This needs further investigation, however it does need detached signatures. we need to evaluate how to add the commits to the ostree repo
=== repodata ===
To provide an extra layer of protection for users, and verification for the openh264 repo we need to make detached signatures of repomd.xml


=== RPMS ===
  for file in $(find ~/24-openh264-20160422 -name repomd.xml); do  NSS_HASH_ALG_SUPPORT=+MD5 sigul sign-data  fedora-24 $file -o $file.asc; chmod 644 $file.asc; done


=== repodata ===
== Signing interface ==
 
We need to have a way to request that something gets signed and determine how the signed things get written to disk
 
== hardware ==
 
We have a physical box. The thinking is that the passwords for a sigul user will be stored on the box, that will only be accessible by serial console and only to a limited set of users. The service will proxy signing requests, possibly authenticating via ssl cert or fedmsg or some other method.

Revision as of 11:53, 22 June 2016

Objective

Securely sign automatically, all of the different release artifacts that need to be signed.

Use Cases

In addition to rpms that we sign today we need to be able to sign the following

CHECKSUM Files

We use a command like:

 for checksum in $(find $BASE/$RELEASEVER/$COMPOSEID/compose/ -name  *CHECKSUM);
 do
   cat $checksum >/tmp/sum && NSS_HASH_ALG_SUPPORT=+MD5 sigul --batch sign-text -o /tmp/signed $KEY /tmp/sum $pass && chmod 644 /tmp/signed && sudo mv /tmp/signed $checksum
 done

Ideally I think we pass in a compose, the signing box then finds and signs all CHECKSUMS.

OStree repo commits

This needs further investigation, however it does need detached signatures. we need to evaluate how to add the commits to the ostree repo

repodata

To provide an extra layer of protection for users, and verification for the openh264 repo we need to make detached signatures of repomd.xml

 for file in $(find ~/24-openh264-20160422 -name repomd.xml); do  NSS_HASH_ALG_SUPPORT=+MD5 sigul sign-data  fedora-24 $file -o $file.asc; chmod 644 $file.asc; done

Signing interface

We need to have a way to request that something gets signed and determine how the signed things get written to disk

hardware

We have a physical box. The thinking is that the passwords for a sigul user will be stored on the box, that will only be accessible by serial console and only to a limited set of users. The service will proxy signing requests, possibly authenticating via ssl cert or fedmsg or some other method.