« Koji/SigulUsing » : différence entre les versions
Aller à la navigation
Aller à la recherche
(→Koji) |
Aucun résumé des modifications |
||
| Ligne 1 : | Ligne 1 : | ||
= | == Sigul == | ||
après une [[Koji/SigulInstall|installation de Sigul]], on peut l'utiliser. | |||
{{Admon/note|Commandes disponible|<pre>$ sigul --help-commands | |||
delete-key Delete a key | |||
modify-key-user Modify user's key access | |||
list-users List users | |||
grant-key-access Grant key access to a user | |||
sign-text Output a cleartext signature of a text | |||
import-key Import a key | |||
new-user Add a user | |||
sign-rpm Sign a RPM | |||
list-keys List keys | |||
sign-data Create a detached signature | |||
revoke-key-access Revoke key acess from a user | |||
user-info Show information about a user | |||
change-passphrase Change key passphrase | |||
list-key-users List users that can access a key | |||
new-key Add a key | |||
modify-user Modify a user | |||
sign-rpms Sign one or more RPMs | |||
modify-key Modify a key | |||
delete-user Delete a user | |||
key-user-info Show information about user's key access | |||
get-public-key Output public part of the key | |||
</pre> | |||
}} | |||
= | === Créer une nouvelle clé === | ||
== | |||
Sigul | Une fois le client Sigul capable d'envoyer des commandes à <class>Sigul</class>, on peut créer une nouvelle clé nommée '''centos-5-key'''. | ||
sigul new-key --name-real='CentOS-5-B2PWeb' --name-comment='CentOS 5 B2PWeb Signing Key' --name-email='srs@b2pweb.com' --key-admin root centos-5-key | |||
{{Admon/note|Générer beaucoup d'entropie durant le génération de la clé|La génération de la clé nécessite beaucoup d'entropie sur le serveur Sigul. On peut donc occuper le serveur et paradoxalement accélerer la génération de la clé. | |||
<pre> | La commande suivant génère assez d'entropie pour 2 minutes: | ||
<pre>find / > /dev/null 2>&1</pre>}}<pre> | |||
$ sigul new-key --help | $ sigul new-key --help | ||
usage: client.py new-key [options] key | usage: client.py new-key [options] key | ||
| Ligne 23 : | Ligne 51 : | ||
--expire-date=YYYY-MM-DD | --expire-date=YYYY-MM-DD | ||
Key expiration date | Key expiration date | ||
</pre> | |||
=== Import d'une clé existante === | |||
sigul import-key 'CentOS-5-B2PWeb' ~/.gnupg/secring.gpg | |||
=== Changer le nom de la clé === | |||
Changer le nom de la clé '''centos5''' en '''centos-5-key'''<pre>sigul modify-key --new-name centos-5-key centos5</pre> | |||
=== Ajout d'un utilisateur === | |||
* Ajout d'un utilisateur administrateur<pre>sigul new-user --admin --with-password didier</pre> | |||
=== Autoriser l'utilisation d'une clé existante à un utilisateur === | |||
<pre>sigul grant-key-access centos-5-key didier</pre> | |||
<pre> | |||
sigul grant-key-access --help | |||
usage: client.py grant-key-access key user | usage: client.py grant-key-access key user | ||
| Ligne 31 : | Ligne 73 : | ||
options: | options: | ||
-h, --help show this help message and exit | -h, --help show this help message and exit | ||
</pre> | |||
=== Modifier la phrase de passe === | |||
sigul change-passphrase centos-5-key | |||
<pre> | |||
sigul change-passphrase --help | |||
usage: client.py change-passphrase key | usage: client.py change-passphrase key | ||
| Ligne 41 : | Ligne 87 : | ||
</pre> | </pre> | ||
=== FAQ === | |||
== | |||
<pre> | {{Admon/faq|ERROR: I/O error: Unexpected EOF in NSPR| | ||
* Ensure the key directory exists and have good permissions ( owner and group: '''sigul''' )<br>This path is declared on <path>/etc/sigul/server.conf</path><pre>gnupg-home: /var/lib/sigul/server/gnupg</pre> | |||
</pre> | * Ensure sigul_bridge and sigul_server daemons are running<pre>systemctl status sigul_server.service && systemctl status sigul_bridge.service</pre> | ||
* Ensure sigul_bridge can connect to sigul_server ( [[Koji/SigulInstall#Firewall| Configure firewall]] )}} | |||
{{Admon/faq|Unknown error on creating key process| | |||
* Install <package>gnupg1</package> from [ http://people.redhat.com/mitr/rpmsigner/rhel6 ] or [ http://infrastructure.stg.fedoraproject.org/repo/builder-rpms/6Server/SRPMS/ ] | |||
* Make sure you're using a patched version of sigul<pre>sed -i -e '/gnupg_bin/s,^.*$,gnupg_bin = "/usr/bin/gpg1",' /usr/share/sigul/settings.py</pre> | |||
* Ensure <package>python-sqlalchemy</package> is installed}} | |||
When your sigul cert expires, you will need to run: 'certutil -d ~/.sigul -D -n sigul-client-cert' to remove the old cert, then 'sigul-client-setup' to add a new one. | |||
== Scripts == | |||
== | === sigulsign_unsigned.py === | ||
Le script est à récupérer depuis un depôt releng de Fedora via git (git://git.fedorahosted.org/git/releng) ou directement depuis https://git.fedorahosted.org/cgit/releng/tree/scripts/sigulsign_unsigned.py | |||
Avant de pouvoir utiliser ce script magique qui va signer tous les RPM non-signés construit dans le Koji, il est nécessaire de modifier quelques variables: | |||
* Changer l'URL du HUB Koji (2 fois): KOJIHUB | |||
* Spécifier nos propres fichiers de certificats: SERVERCA, CLIENTCA, CLIENTCERT | |||
* Ajout de nos clés de signature: KEYS | |||
Pour obtenir l'ID de nos clés: | |||
* exporter de la clé<pre>sigul get-public-key centos-5-key > centos-5-key.asc</pre> | |||
* importer dans GPG<pre>gpg --import centos-5-key.asc</pre> | |||
* Lister nos clé GPG<pre>gpg --list-keys</pre> | |||
<pre> | <pre> | ||
/root/.gnupg/pubring.gpg | |||
------------------------ | |||
pub 1024D/773DF357 2013-08-20 | |||
uid CentOS-5-B2PWeb (CentOS 5 B2PWeb Signing Key) <srs@b2pweb.com> | |||
sub 2048g/EBC96FF2 2013-08-20 | |||
</pre> | </pre> | ||
L'ID de notre clé '''centos-5-key''' est 773DF357 | |||
= | <syntaxhighlight lang="diff"> | ||
Change koji hostname, certificate files and add B2PWeb signing keys | |||
diff -u a/sigulsign_unsigned.py b/sigulsign_unsigned.py | |||
--- a/sigulsign_unsigned.py 2013-08-21 10:05:57.418032284 +0200 | |||
+++ b/sigulsign_unsigned.py 2013-08-21 10:13:11.683976970 +0200 | |||
@@ -38,11 +38,11 @@ rpmdict = {} | |||
unsigned = [] | |||
loglevel = '' | |||
passphrase = '' | |||
-KOJIHUB = 'https://koji.fedoraproject.org/kojihub' | |||
+KOJIHUB = 'http://koji.b2pweb.com/kojihub' | |||
# Should probably set these from a koji config file | |||
-SERVERCA = os.path.expanduser('~/.fedora-server-ca.cert') | |||
-CLIENTCA = os.path.expanduser('~/.fedora-upload-ca.cert') | |||
-CLIENTCERT = os.path.expanduser('~/.fedora.cert') | |||
+SERVERCA = os.path.expanduser('~/.koji/serverca.crt') | |||
+CLIENTCA = os.path.expanduser('~/.koji/clientca.crt') | |||
+CLIENTCERT = os.path.expanduser('~/.koji/client.pem') | |||
= | # Setup a dict of our key names as sigul knows them to the actual key ID | ||
# that koji would use. We should get this from sigul somehow. | |||
KEYS = {'fedora-12-sparc': {'id': 'b3eb779b', 'v3': True}, | |||
@@ -67,7 +67,9 @@ KEYS = {'fedora-12-sparc': {'id': 'b3eb7 | |||
'fedora-10': {'id': '4ebfc273', 'v3': False}, | |||
'fedora-10-testing': {'id': '0b86274e', 'v3': False}, | |||
'epel-6': {'id': '0608b895', 'v3': True}, | |||
- 'epel-5': {'id': '217521f6', 'v3': False}} | |||
+ 'epel-5': {'id': '217521f6', 'v3': False}, | |||
+ 'centos-5-key' : {'id': '773df357', 'v3': True}, | |||
+ 'centos-6-key' : {'id': 'd3f3c56a', 'v3': True}} | |||
= | |||
-- | |||
@@ - | |||
+ | |||
def exit(status): | |||
"""End the program using status, report any errors""" | |||
@@ - | @@ -213,7 +215,7 @@ if not (opts.just_list or opts.just_writ | ||
# Reset the KOJIHUB if the target is a secondary arch | |||
if opts.arch: | |||
- KOJIHUB = 'http://%s.koji.fedoraproject.org/kojihub' % opts.arch | |||
+ KOJIHUB = 'http://%s.koji.b2pweb.com/kojihub' % opts.arch | |||
# setup the koji session | |||
logging.info('Setting up koji session') | |||
kojisession = koji.ClientSession(KOJIHUB) | |||
</syntaxhighlight> | |||
= | |||
= | |||
</ | |||
Version du 21 août 2013 à 12:44
Sigul
après une installation de Sigul, on peut l'utiliser.
Commandes disponible
$ sigul --help-commands delete-key Delete a key modify-key-user Modify user's key access list-users List users grant-key-access Grant key access to a user sign-text Output a cleartext signature of a text import-key Import a key new-user Add a user sign-rpm Sign a RPM list-keys List keys sign-data Create a detached signature revoke-key-access Revoke key acess from a user user-info Show information about a user change-passphrase Change key passphrase list-key-users List users that can access a key new-key Add a key modify-user Modify a user sign-rpms Sign one or more RPMs modify-key Modify a key delete-user Delete a user key-user-info Show information about user's key access get-public-key Output public part of the key
Créer une nouvelle clé
Une fois le client Sigul capable d'envoyer des commandes à <class>Sigul</class>, on peut créer une nouvelle clé nommée centos-5-key.
sigul new-key --name-real='CentOS-5-B2PWeb' --name-comment='CentOS 5 B2PWeb Signing Key' --name-email='srs@b2pweb.com' --key-admin root centos-5-key
Générer beaucoup d'entropie durant le génération de la clé
La génération de la clé nécessite beaucoup d'entropie sur le serveur Sigul. On peut donc occuper le serveur et paradoxalement accélerer la génération de la clé.
La génération de la clé nécessite beaucoup d'entropie sur le serveur Sigul. On peut donc occuper le serveur et paradoxalement accélerer la génération de la clé.
La commande suivant génère assez d'entropie pour 2 minutes:
find / > /dev/null 2>&1
$ sigul new-key --help
usage: client.py new-key [options] key
Add a key
options:
-h, --help show this help message and exit
--key-admin=USER Initial key administrator
--name-real=NAME_REAL
Real name of key subject
--name-comment=NAME_COMMENT
A comment about of key subject
--name-email=NAME_EMAIL
E-mail of key subject
--expire-date=YYYY-MM-DD
Key expiration date
Import d'une clé existante
sigul import-key 'CentOS-5-B2PWeb' ~/.gnupg/secring.gpg
Changer le nom de la clé
Changer le nom de la clé centos5 en centos-5-key
sigul modify-key --new-name centos-5-key centos5
Ajout d'un utilisateur
- Ajout d'un utilisateur administrateur
sigul new-user --admin --with-password didier
Autoriser l'utilisation d'une clé existante à un utilisateur
sigul grant-key-access centos-5-key didier
sigul grant-key-access --help usage: client.py grant-key-access key user Grant key access to a user options: -h, --help show this help message and exit
Modifier la phrase de passe
sigul change-passphrase centos-5-key
sigul change-passphrase --help usage: client.py change-passphrase key Change key passphrase options: -h, --help show this help message and exit
FAQ
ERROR: I/O error: Unexpected EOF in NSPR
- Ensure the key directory exists and have good permissions ( owner and group: sigul )
This path is declared on <path>/etc/sigul/server.conf</path>gnupg-home: /var/lib/sigul/server/gnupg
- Ensure sigul_bridge and sigul_server daemons are running
systemctl status sigul_server.service && systemctl status sigul_bridge.service
- Ensure sigul_bridge can connect to sigul_server ( Configure firewall )
Unknown error on creating key process
- Install <package>gnupg1</package> from [ http://people.redhat.com/mitr/rpmsigner/rhel6 ] or [ http://infrastructure.stg.fedoraproject.org/repo/builder-rpms/6Server/SRPMS/ ]
- Make sure you're using a patched version of sigul
sed -i -e '/gnupg_bin/s,^.*$,gnupg_bin = "/usr/bin/gpg1",' /usr/share/sigul/settings.py
- Ensure <package>python-sqlalchemy</package> is installed
When your sigul cert expires, you will need to run: 'certutil -d ~/.sigul -D -n sigul-client-cert' to remove the old cert, then 'sigul-client-setup' to add a new one.
Scripts
sigulsign_unsigned.py
Le script est à récupérer depuis un depôt releng de Fedora via git (git://git.fedorahosted.org/git/releng) ou directement depuis https://git.fedorahosted.org/cgit/releng/tree/scripts/sigulsign_unsigned.py
Avant de pouvoir utiliser ce script magique qui va signer tous les RPM non-signés construit dans le Koji, il est nécessaire de modifier quelques variables:
- Changer l'URL du HUB Koji (2 fois): KOJIHUB
- Spécifier nos propres fichiers de certificats: SERVERCA, CLIENTCA, CLIENTCERT
- Ajout de nos clés de signature: KEYS
Pour obtenir l'ID de nos clés:
- exporter de la clé
sigul get-public-key centos-5-key > centos-5-key.asc
- importer dans GPG
gpg --import centos-5-key.asc
- Lister nos clé GPG
gpg --list-keys
/root/.gnupg/pubring.gpg ------------------------ pub 1024D/773DF357 2013-08-20 uid CentOS-5-B2PWeb (CentOS 5 B2PWeb Signing Key) <srs@b2pweb.com> sub 2048g/EBC96FF2 2013-08-20
L'ID de notre clé centos-5-key est 773DF357
Change koji hostname, certificate files and add B2PWeb signing keys
diff -u a/sigulsign_unsigned.py b/sigulsign_unsigned.py
--- a/sigulsign_unsigned.py 2013-08-21 10:05:57.418032284 +0200
+++ b/sigulsign_unsigned.py 2013-08-21 10:13:11.683976970 +0200
@@ -38,11 +38,11 @@ rpmdict = {}
unsigned = []
loglevel = ''
passphrase = ''
-KOJIHUB = 'https://koji.fedoraproject.org/kojihub'
+KOJIHUB = 'http://koji.b2pweb.com/kojihub'
# Should probably set these from a koji config file
-SERVERCA = os.path.expanduser('~/.fedora-server-ca.cert')
-CLIENTCA = os.path.expanduser('~/.fedora-upload-ca.cert')
-CLIENTCERT = os.path.expanduser('~/.fedora.cert')
+SERVERCA = os.path.expanduser('~/.koji/serverca.crt')
+CLIENTCA = os.path.expanduser('~/.koji/clientca.crt')
+CLIENTCERT = os.path.expanduser('~/.koji/client.pem')
# Setup a dict of our key names as sigul knows them to the actual key ID
# that koji would use. We should get this from sigul somehow.
KEYS = {'fedora-12-sparc': {'id': 'b3eb779b', 'v3': True},
@@ -67,7 +67,9 @@ KEYS = {'fedora-12-sparc': {'id': 'b3eb7
'fedora-10': {'id': '4ebfc273', 'v3': False},
'fedora-10-testing': {'id': '0b86274e', 'v3': False},
'epel-6': {'id': '0608b895', 'v3': True},
- 'epel-5': {'id': '217521f6', 'v3': False}}
+ 'epel-5': {'id': '217521f6', 'v3': False},
+ 'centos-5-key' : {'id': '773df357', 'v3': True},
+ 'centos-6-key' : {'id': 'd3f3c56a', 'v3': True}}
def exit(status):
"""End the program using status, report any errors"""
@@ -213,7 +215,7 @@ if not (opts.just_list or opts.just_writ
# Reset the KOJIHUB if the target is a secondary arch
if opts.arch:
- KOJIHUB = 'http://%s.koji.fedoraproject.org/kojihub' % opts.arch
+ KOJIHUB = 'http://%s.koji.b2pweb.com/kojihub' % opts.arch
# setup the koji session
logging.info('Setting up koji session')
kojisession = koji.ClientSession(KOJIHUB)