Contenu remplacé par « {{:Koji/SigulInstall}} {{:Koji/SigulUsing}} »
(13 versions intermédiaires par le même utilisateur non affichées)
Ligne 1 :
Ligne 1 :
=Sigul Overview=
{{:Koji/SigulInstall}}
{{:Koji/SigulUsing}}
Sigul is a package signing server, which aids in signing RPM's either multiple, or single files. All keys reside solely on the sigul server, no user has access to any of the private or public keys. All communication with the server is done through the sigul bridge, it acts as the gateway between the client, and server. This isolates the server, preventing any unwanted access from outside sources other than the bridge. The sigul client once configured allows users to sign rpm's with keys created on the sigul server, by sending commands first to the bridge, which then relays to the server.
=Installation=
This part is very very easy {{Admon/smiley|:)}}
yum install seagul
=Sigul Bridge Setup=
What the bridge does: The bridge acts as the central gateway for sigul. The bridge is the only component which speaks to the server, if you are issuing any server bound commands from the client, your actually sending them to the bridge which in turn fires them off to the server, recieves the reply, and sends that back to the client. The bridge also functions as the gateway for Koji, when signing packages from a koji instance, the bridge speaks to the kojihub with authentication by way of a Proxy user, such as Kojiweb. We will be getting into the koji side of things a bit more later in this doc.
To begin setup, we have generate the certs which will be used for all sigul systems to authenticate between eachother. The bridge will be used as the CA for internal sigul communications.
{{Admon/warning|Be sure to remember all your NSS Password}}
== Operations with sigul account ==
All following commands must be done '''with sigul account'''
su - sigul -s /bin/bash
Create an NSS database on the bridge, to hold the certificate information
<pre>
bridge_dir=/var/lib/sigul
</pre>
Generate a new NSS database for the bridge at the location of the bridge_dir variable
<pre>
certutil -d $bridge_dir -N</pre>
Generate the CA (Certificate Authority) certificate, to be used accross all sigul components
CN must be the full qualified domain name of the server where bridge is hosted.
Now it is time to configure the bridge, edit '''with the root account''' the config at <path>/etc/sigul/bridge.conf</path>
* You can leave most things at their default such as ports, or fas-account settings, if using FAS authentication.
* Under the [NSS] section you can set nss-password: yournsspass
* The default configuration assumes you set up a separate "sigul" user and group. Remove the [daemon] section if you want the bridge to run as the invoking user.
* If you use a separate user and group issue: chown sigul:sigul $bridge_dir/*.db
After editing the config and setting up the certs, it is time for a test drive issue the following
sigul_bridge -v -v
This will start the bridge in DEBUG mode, and all information will be logged in /var/log/sigul_bridge
Check the log file after starting sigul, if there are no errors you are good to go.
{{Admon/note|You should see the first log message in /var/log/sigul_bridge.log:
<pre>2011-11-24 16:41:42,214 DEBUG: Waiting for the client to connect</pre>}}
Stop the sigul_bridge CRTL-C
Now we can start the service
service sigul_bridge start
or for fedora > 16
systemctl start sigul_bridge.service
=Sigul Server Setup=
What the server does: The server is completley cutoff from the rest of the world, It should be firewalled off except for incoming ports from the bridge, and should only be able to speak to the bridge, for max security, ensure it has no external access from other machines or even the web. It hold's all of the key files used for signing the RPMS, so no other users will have access to the key files, the server is the only system that knows the keys.
To begin setup, we have to follow a similar process to the bridge with NSS, except that we will import the CA cert generated on the bridge, not generate a new one.
== Operations with sigul account ==
Create the NSS database on the server, to hold the certificate information '''with the user sigul account'''
First we set the location where sigul resides on the system
<pre>
server_dir=/var/lib/sigul
certutil -d $server_dir -N
</pre>
This will generate a new NSS database for the server at the location of the server_dir variable
Import the CA (Certificate Authority) certificate, generated earlier on the bridge
=== ON THE BRIDGE as user sigul ===
<pre>
pk12util -d $bridge_dir -o myca.p12 -n sigul-ca
</pre>
This file should now be copied over to the server and deleted from the bridge afterwards
=== ON THE SERVER as user sigul ===
The sigul CA certs should now be imported
<pre>
pk12util -d $server_dir -i myca.p12
rm myca.p12
certutil -d $server_dir -M -n sigul-ca -t CT,,
</pre>
CN must be the full qualified domain name of the server where sigul server is hosted.
Now it is time to configure the server, edit the config at /etc/sigul/server.conf '''with root account'''<br>Note the default ports. Edit at least bridge-hostname and the [nss] section. The default configuration assumes you set up a separate "sigul" user and group; remove the [daemon] section if you want the server to run as the invoking user.
Now to create the database for the server which will hold all user and key entries issue the following * AS ROOT
<pre>sigul_server_create_db</pre>
Next Add the initial administrator
<pre>sigul_server_add_admin</pre>
After all is configured, it's time for a test drive
Start the server in DEBUG mode, and all information will be logged in <path>/var/log/sigul_server</path>
<pre>sigul_server -v -v</pre>
Check the log file after starting sigul server, if there are no errors you are good to go.
{{Admon/note|You should see the first log message in /var/log/sigul_bridge.log:
<pre>2011-11-24 16:36:42,154 DEBUG: Waiting for a request</pre>}}
Now we can start the service
service sigul_server start
or for fedora > 16
systemctl start sigul_server.service
=Sigul Client Setup=
What the client does: The client is simply that, a client, it has certs necessary for it to be authenticated with the sigul bridge to issue commands as the sigul admin, to the server. All client commands are sent to bridge which in turn talks to either koji or the server depending on what the clients request is.
To begin setup, we have to follow a similar process to the bridge with NSS, except that we will import the CA cert generated on the bridge, not generate a new one.
Create the NSS database on the client, to hold the certificate information issue the following
== Operations with user sigul ==
client_dir=~/.sigul
certutil -d $client_dir -N
Import the CA (Certificate Authority) certificate, generated earlier on the bridge
Configure the client, edit the config at <path>/etc/sigul/client.conf</path>
* You can leave most things set as default except for the following:
* bridge-hostname and server-hostname be sure to change those to match the hostnames of each of those machines.
* under [ NSS] user-name set this to the value of the admin user your setup on the server previously
* If you wish to avoid entering an NSS password upon issuing each command, issue vim <path>~/.sigul/client.conf</path> and add the following lines:<br><pre>nss-password: Your NSS PASS</pre>
After configuring your client, issue a test client command in DEBUG mode as follows:
sigul -v -v list-users
{{Admon/note|This should return a list of users on the server, at this point it should only really display the one admin user created before. For more commands issue sigul --help-commands for a full list}}
Create an initial key once you are able to issue commands to sigul, issue the following:
sigul new-key -h
This will output the options that can be used with the key creation, use the ones you want, and generate the key.
Please note when generating the key, it requires a lot of Entropy on the server, so issue some commands to keep server busy and help it generate faster, usually a simple find / will generate enough for it to take about 2 minutes to generate the key.
=Sigul with koji Setup=
How it works with koji: Sigul can be used with koji to sign multiple packages in a koji instance. Provided you have your client user already configured with Koji, it's a simple matter of configuring the proxy user on sigul_bridge. When a client issues a sign command for a koji instance, the bridge is what actually queries koji on behalf of the client user, and grabs the rpm's to be signed from sigul by way of the kojiweb user. The only thing you must ensure is that your koji client user as admin privileges on the koji server, and the bridge takes care if the rest.
As ROOT on the sigul bridge, edit /etc/sigul/bridge.conf edit the koji section as follows:
[koji]
koji-config: /path/to/koji/config/file <-- The config file should be that of koji web
The koji configuration file and certs can reside under any directory that sigul has atleast read privileges on. The kojiweb certificates that allow kojiweb to authenticate with koji must be copied to this directory, along with the config file which points to the koji instance, as well as the kojiweb certs needed for it to authenticate.
After doing the above restart the bridge, and you should now be able to pull packages from koji and sign them.
To test issue the following on the client, to download and RPM from koji - sign it - and store it locally - Just as a test for koji connectivity and authentication:
sigul sign-rpm -o signed.rpm key_name unsigned.rpm <-- key_name should be the name of the sigul key you setup previously.
If the above is successful, you will have an rpm named signed.rpm in the directory you are working in.
=Sigul Client Config Script=
The following is an optional script, which can be used to aide in the quick setup of sigul clients, when not using FAS Authentication:
* Note that the user must first have an account created on the sigul server, this script is solely to setup the client side certificates
*If you plan to use FAS Authentication, run sigul_setup_client as the user you wish to setup.
= Description =
At the beginning of each release under development a new package signing key is created for it. This key is used to prove the authenticity of packages built by Fedora and distributed by Fedora. This key will be used to sign all packages for the public test and final releases.
= Action =
== Sigul ==
Sigul is the signing server which holds our keys. In order to make use of a new key, the key will have to be created and access to the key will have to be granted. The <code>new-key</code>, <code>grant-key-access</code>, and <code>change-passphrase</code> commands are used.
<pre>
$ sigul new-key --help
usage: client.py new-key [options] key
Add a key
options:
-h, --help show this help message and exit
--key-admin=USER Initial key administrator
--name-real=NAME_REAL
Real name of key subject
--name-comment=NAME_COMMENT
A comment about of key subject
--name-email=NAME_EMAIL
E-mail of key subject
--expire-date=YYYY-MM-DD
Key expiration date
$ sigul grant-key-access --help
usage: client.py grant-key-access key user
Grant key access to a user
options:
-h, --help show this help message and exit
$ sigul change-passphrase --help
usage: client.py change-passphrase key
Change key passphrase
options:
-h, --help show this help message and exit
</pre>
For example if we wanted to create the Fedora 13 signing key, we would do the following:
<ol>
<li>Log into a system configured to run sigul client.</li>
<li>Create the key using a strong passphrase when prompted
<li>Wait a while for entropy. This can take several minutes.</li>
<li>Grant key access to Fedora Account holders who will be signing packages and protect it with a temporary a passphrase. For example, "CHANGEME."
<pre>
$ sigul grant-key-access fedora-13 jwboyer
</pre></li>
<li>Provide the key name and temporary passphrase to signers. If they don't respond, revoke access until they are ready to change their passphrase. Signers can change their passphrase using the <code>change-passphrase</code> command:
<pre>
$ sigul change-passphrase fedora-13
</pre></li>
<pre><li>
When your sigul cert expires, you will need to run: 'certutil -d ~/.sigul -D -n sigul-client-cert' to remove the old cert, then 'sigul-client-setup' to add a new one.
</pre></li>
</ol>
== fedora-release ==
The fedora-release package houses a copy of the public key information. This is used by rpm to verify the signature on files encountered. Currently the fedora-release package has a single key file named after the version of the key and the arch the key is for. To continue our example, the file would be named <code>RPM-GPG-KEY-fedora-13-primary</code> which is the primary arch key for Fedora 13. To create this file, use the <code>get-public-key</code> command from sigul:
Add this file to the repo, and remove the previous release's file.
<pre>
$ cvs rm RPM-GPG-KEY-fedora-12-primary
$ cvs add RPM-GPG-KEY-fedora-13-primary
</pre>
Then make a new fedora-release build for rawhide ('''FIXME''': this should be its own SOP)
== fedoraproject.org ==
fedoraproject.org/keys lists information about all of our keys. We need to let the webteam know we have created a new key so that they can add it to the list.
We do this by sending an email to webmaster@fedoraproject.org pointing to the viewvc
http://cvs.fedoraproject.org/viewvc/fedora-release/RPM-GPG-KEY-fedora-13-primary?revision=1.1&root=fedora&view=co as well as including a URL to this page so that the process is not forgotten (see section below)
This url will have to be refreshed for the right release and CVS version
=== Web team SOP ===
<pre>
# from git repo root
cd fedoraproject.org/
curl $KEYURL > /tmp/newkey
$EDITOR update-gpg-keys # Add key ID of recently EOL'd version to obsolete_keys
./update-gpg-key /tmp/newkey
gpg static/fedora.gpg # used to verify the new keyring
# sub 2048g/B6610DAF 2007-03-02 [expires: 2017-02-27]
# it must only have the two supported versions of fedora, rawhide and EPEL
# also verify that static/$NEWKEY.txt exists
$EDITOR data/content/{keys,verify}.html # see git diff 1840f96~ 1840f96
</pre>
== sigulsign_unsigned ==
sigulsign_unsigned is the script Release Engineers use to sign content in koji. This script has a hardcoded list of keys and aliases to the keys that needs to be updated when we create new keys.
Add the key details to the <code>KEYS</code> dictionary near the top of the <code>sigulsign_unsigned.py</code> script. It lives in Release Engineering's git repo at <code>git://git.fedorahosted.org/git/releng</code> in the <code>scripts</code> directory. You will need to know the key ID to insert the correct information:
<pre>
$ gpg <key block from sigul get-public-key>
</pre>
== Public Keyservers ==
We upload the key to the public key servers when we create the keys. To do this, we need to get the ascii key block from sigul, determine the key ID, import they key into our local keyring, and then upload it to the key servers.
<pre>
$ sigul get-public-key fedora-13 > fedora-13
$ gpg fedora-13 (The ID is the "E8E40FDE" part of 4096R/E8E40FDE)
$ gpg --import fedora-13
$ gpg --send-keys E8E40FDE
</pre>
== Mash ==
Mash is the tool that composes our nightly trees, and as such it needs to know about the new key. This currently is done by checking mash out from git, editing the rawhide.mash file and sending the patch to the mash upstream.
<pre>
$ git clone git://git.fedorahosted.org/git/mash
$ cd mash
$ vim configs/rawhide.mash
<add key to front of keys = line>
$ git commit -m 'Add new key'
$ git send-email --to notting@redhat.com HEAD^
</pre>
Coordinate with Bill Nottingham to get a new build of mash done with the change.
== Koji ==
Koji has a garbage collection utility that will find builds that meet criteria to be removed to save space. Part of that criteria has to do with whether or not the build has been signed with a key. If the collection utility doesn't know about a key it will ignore the build. Thus as we create new keys we need to inform the utility of these keys or else builds can pile up. The configuration for the garbage collection lives within puppet.
On the puppet server in a clone edit the configs/build/koji-gc.conf file:
tag *-testing *-candidate *-override && order >= 2 :: untag
</pre>
In this case the fedora-epel key was added to the list of key aliases, then referenced in the list of unprotected_keys, and finally a policy was created for how long to keep builds signed with this key.
Once you've made your change commit and push. The buildsystem will pick up this change the next time puppet refreshes.
= Verification =
We can verify that the key was created in sigul, the correct users have access to the key, the key was added to the fedora-release package, that the website was updated with the right key, that sigulsign_unsigned was properly updated, and that the key was successfully updated to the public key servers.
== sigul ==
Use the <code>list-keys</code> command to verify that the key was indeed added to sigul:
<pre>
$ sigul list-keys
Administrator's password:
fedora-10
fedora-10-testing
fedora-11
fedora-12
fedora-13
</pre>
Our new key should be on the list. This command expects <b>your</b> administrative password.
Use the <code>list-key-users</code> command to verify all the signers have access:
<pre>
$ sigul list-key-users fedora-13
Key passphrase:
jkeating
jwboyer
</pre>
This command expects <b>your</b> key passphrase for the key in question.
== fedora-release ==
To verify that the key was added to this package correctly, download the latest build from koji and run rpm2cpio on it, then run gpg on the key file:
<pre>
$ koji download-build --arch noarch --latest dist-f13 fedora-release
<class>Sigul</class> est une suite logicielle pour un serveur de signature, qui peut signer les RPMs ou de simple ou multiples fichiers. Toutes les clés GPG sont stockés uniquement sur le serveur <class>Sigul</class> (Sigul server), et donc aucun utilisateur n'a accès à aucune clé publique ou privée. Toutes les communications avec le serveur passent par le pont <class>Sigul</class> (Sigul bridge) qui agit comme une passerelle entre le client et le serveur. Cela isole le serveur et interdit tout accès extérieur autre que depuis le pont. Le client <class>Sigul</class>, une fois configuré, autorise les utilisateurs à signer les RPMs avec les clés créées (ou importées) sur le serveur <class>Sigul</class>, en envoyant des commandes au pont, qui lui se chargera de transmettre au serveur.
Architecture de Sigul
<class>Sigul</class> sur les systèmes el6 <class>Sigul</class> a un bug récurrent[1] sur les systèmes el6 et a besoin de travailler avec le paquet <package>gnupg1</package> au lieu du paquet par défaut <package>gnupg2</package>.
Il faut modifier le fichier <path>/usr/share/sigul/settings.py</path>
gnupg_bin = "/usr/bin/gpg1"
Le paquet <package>sigul</package> du dépôt B2PWeb intègre déjà les modifications pour travailler avec <package>gnupg1</package>.
Installation
Rien de plus simple, on installe via yum, puis on créé l'arborescence nécessaire aux composants de <class>Sigul</class>
La création de l'arborescence est rendue nécessaire par le fait d'installer le pont et le serveur sur le même système (chose qui n'est pas recommandée pour des raisons de sécurité)
Modification permanente pour l'utilisateur sigul Il peut être pratique de fixer le shell pour l'utilisateur sigul afin de simplifier les commandes d'administrations
# usermod -s /bin/bash sigul
De même, on peut fixer définitivement les variables utilisées dans l'installation en ajoutant au fichier <path>~/.bash_profile</path> de l'utilisateur sigul
Le pont agit en tant que passerelle centrale su système <class>Sigul</class>. C'est le seul composant qui dialogue avec le serveur, c'est à dire que les commandes clientes pour le serveur vont être envoyées au pont, qui les relayera au serveur, recevra la réponse et la redistribuera au client. Le pont agit en tant que passerelle pour Koji pour la signature des paquets, le pont dialogue avec le Hub Koji avec l’authentification d'un utilisateur Proxy, comme Kojiweb. La partie sur la liaison entre <class>Sigul</class> et <class>Koji</class> est ici.
Pour démarrer la mise en place, on doit générer les certificats qui seront utilisés pour authentifier les différent composants du système <class>Sigul</class> entre eux. Le pont sera utilisé comme Autorité de Certification pour les communications internes du système <class>Sigul</class>.
Opérations avec le compte sigul
Comme toutes les commandes de cette partie doivent être lancées par l'utilisateur sigul, on va donc devenir cet utilisateur
# su - sigul
Définition du répertoire de destination
bridge_dir=/var/lib/sigul/bridge
Création de la base de données NSS, pour garder les informations des certificats, dans le répertoire de destination définit par la variable $bridge_dir
certutil-d$bridge_dir-N
Génération de l'autorité de certification (CA: Certificate Authority) qui sera utilisée par tous les composants <class>Sigul</class>
Le serveur est complètement isolé du reste du monde. Toutes les communications depuis l'extérieur doivent être interdites, exception faite des communications avec le pont. De même, les communications sortantes doivent être restreintes au pont pour un maximum de sécurité. Il faut s'assurer qu'aucun accès exterieur est possible (même web). Il détient toutes les clés pour signer les RPMs, et donc aucun utilisateur ne doit avoir accès directement aux clés, le serveur est le seul système qui connait les clés.
Opérations préalables sur le pont avec l'utilisateur sigul
Export de l'autorité de certification dans le fichier <path>sigulca.p12</path>
pk12util-d$bridge_dir-osigulca.p12-nsigul-ca
Copie du fichier <path>sigulca.p12</path> sur le serveur <class>Sigul</class>
Destruction de l'export
rm-fsigulca.p12
Opérations avec l'utilisateur sigul
Comme toutes les commandes de cette partie doivent être lancées par l'utilisateur sigul, on va donc devenir cet utilisateur
# su - sigul
Définition du répertoire de destination
server_dir=/var/lib/sigul/server
Création de la base de données NSS, pour garder les informations des certificats, dans le répertoire de destination définit par la variable $server_dir
certutil-d$server_dir-N
Import de l'autorité de certification (CA: Certificate Authority)
pk12util-d$server_dir-isigulca.p12
certutil-d$server_dir-M-nsigul-ca-tCT,,
Génération d'un certificat pour le serveur Le champs CN doit être le nom complet de l'hôte (fqdn) sur lequel le serveur est hebergé
Opérations sur le client avec l'utilisateur qui utilisera Sigul
Définition du répertoire de destination
client_dir=~/.sigul
Création de celui-ci
mkdir$client_dir
Création de la base de données NSS, pour garder les informations des certificats, dans le répertoire de destination définit par la variable $client_dir
certutil-d$client_dir-N
Import de l'autorité de certification (CA: Certificate Authority)
pk12util-d$client_dir-isigulca.p12
certutil-d$client_dir-M-nsigul-ca-tCT,,
Génération d'un certificat pour le serveur Le champs CN doit être le login de l'utilisateur pour le système <class>Sigul</class>
Suppression de l'export de l'autorité de certification
rm-fsigulca.p12
Copie du fichier de configuration générale des clients <path>/etc/sigul/client.conf</path> dans son répertoire personnel <path>~/.sigul/client.conf</path>
cp/etc/sigul/client.conf~/.sigul/client.conf
Édition du fichier <path>~/.sigul/client.conf</path> pour insérer le mot de passe de l'utilisateur dans la section [nss].
nss-password:YourNSSPASS
Test
Test avec une commande sigul pour valider le bon fonctionnement de toute la chaine
sigul list-users
On peut maintenant utiliser pleinement <class>Sigul</class>.
Sigul Client Config Script
Ce script peut être utilisé pour mettre en place rapidement l’authentification pour un client <class>Sigul</class> quand l’authentification FAS n'est pas utilisée.
L'utilisateur doit déjà être créé sur le serveur Ce script ne fait que la mise en place des certificats.
#!/bin/bash#Variables### And initial setup#######mkdir~/.sigul
client_dir=~/.sigul
user=$(whoami)####################echo############################Begin Certificate importsecho"======================="echo"Setting up NSS Database"echo"======================="certutil-d$client_dir-N
echoecho"==================="echo"Downloading CA Cert"echo"==================="wgethttp://someurl.com/sigul/sigulca.p12<--Substitutewithapathorurlofyourexported.p12
echoecho"=================="echo"Importing CA certs"echo"=================="pk12util-d$client_dir-isigulca.p12
certutil-d$client_dir-M-nsigul-ca-tCT,,
echoecho"======================"echo"Generating Client cert"echo"======================"certutil-d$client_dir-S-nsigul-client-cert-s"CN=$user"-csigul-ca-tu,,-v120echoecho"======================"#########End certificate imports#########################################################NSS password Saver#############read-p"Would you like to save your nss pass to ~/.sigul/client.conf [y/n]: "nsspasssel
#########User Input conditional#########if[$nsspasssel=="y"-o$nsspasssel=="Y"];thenecho"Enter your NSS password One more time: "read-snsspass
echo"[nss]">~/.sigul/client.conf
echo"nss-password: $nsspass">>~/.sigul/client.conf
echoecho"==========="echo"Cleaning up"echo"==========="rmsigulca.p12
elseechoecho"==========="echo"Cleaning up"echo"==========="rmsigulca.p12
fi#########################################\
$ sigul --help-commands
delete-key Delete a key
modify-key-user Modify user's key access
list-users List users
grant-key-access Grant key access to a user
sign-text Output a cleartext signature of a text
import-key Import a key
new-user Add a user
sign-rpm Sign a RPM
list-keys List keys
sign-data Create a detached signature
revoke-key-access Revoke key acess from a user
user-info Show information about a user
change-passphrase Change key passphrase
list-key-users List users that can access a key
new-key Add a key
modify-user Modify a user
sign-rpms Sign one or more RPMs
modify-key Modify a key
delete-user Delete a user
key-user-info Show information about user's key access
get-public-key Output public part of the key
Créer une nouvelle clé
Une fois le client Sigul capable d'envoyer des commandes à <class>Sigul</class>, on peut créer une nouvelle clé nommée centos-5-key.
Générer beaucoup d'entropie durant le génération de la clé La génération de la clé nécessite beaucoup d'entropie sur le serveur Sigul. On peut donc occuper le serveur et paradoxalement accélerer la génération de la clé.
La commande suivant génère assez d'entropie pour 2 minutes:
find / > /dev/null 2>&1
$ sigul new-key --help
usage: client.py new-key [options] key
Add a key
options:
-h, --help show this help message and exit
--key-admin=USER Initial key administrator
--name-real=NAME_REAL
Real name of key subject
--name-comment=NAME_COMMENT
A comment about of key subject
--name-email=NAME_EMAIL
E-mail of key subject
--expire-date=YYYY-MM-DD
Key expiration date
Autoriser l'utilisation d'une clé existante à un utilisateur
sigul grant-key-access centos-5-key didier
sigul grant-key-access --help
usage: client.py grant-key-access key user
Grant key access to a user
options:
-h, --help show this help message and exit
Modifier la phrase de passe
sigul change-passphrase centos-5-key
sigul change-passphrase --help
usage: client.py change-passphrase key
Change key passphrase
options:
-h, --help show this help message and exit
FAQ
ERROR: I/O error: Unexpected EOF in NSPR
S'assurer que le répertoire des clés existe. Ce chemin est déclaré dans le fichier <path>/etc/sigul/server.conf</path>
gnupg-home: /var/lib/sigul/server/gnupg
Propriétaire: sigul
Groupe: sigul
Droits: 0700 rwx------
Lien symbolique /var/lib/sigul/gnupg pointant sur <path>/var/lib/sigul/server/gnupg</path>
S'assurer qu'il y a suffisamment d'espace disque ( en gros deux fois la taille du plus gros paquet RPM )
S'assurer que les daemons sigul_bridge et sigul_server sont démarrés
service sigul_server status && service sigul_bridge status
Vérifier les journaux du serveur, l'erreur est surement plus explicite
/usr/bin/rpmsign: No such file or directory
Il suffit d'installer le paquet <package>rpm-sign</package> qui n'est pas installé par défaut sur centos 7. Un simple yum provides /usr/bin/rpmsign donne le paquet à installer.
S'assurer que Sigul est configurer pour utiliser <package>gnupg1</package>
sed -i -e '/gnupg_bin/s,^.*$,gnupg_bin = "/usr/bin/gpg1",' /usr/share/sigul/settings.py
S'assurer que le paquet <package>python-sqlalchemy</package> soit installé
Certificats client expirés
Une fois le certificat client expiré, il faut le désactiver localement
certutil -d ~/.sigul -D -n sigul-client-cert
et refaire une génération de certificat client.
Interfacer Sigul et koji
configuration
<class>Sigul</class> peut être utiliser pour signer un ou de multiples RPMs dans une instance <class>Koji</class>. Une fois le client Sigul correctement configuré, il suffit juste de configurer l'utilisateur Proxy pour Koji. Quand un client <class>Sigul</class> émet une requête de signature pour <class>Koji</class>, le pont <class>Sigul</class> se connecte à <class>Koji</class> en tant qu'utilisateur kojiweb. Il faut juste s'assurer que l'utilisateur demandeur a les droits administrateur sur le <class>Koji</class> et <class>Sigul</class> s'occupe du reste.
La configuration pour <class>Koji</class> peut être situer n'importe où, du moment que l'utilisateur sigul a droit de lecture. Les certificats pour kojiweb doivent être copiés dans le même chemin que la configuration <class>Koji</class>
Comme toutes les commandes de cette partie doivent être lancées par l'utilisateur sigul, on va donc devenir cet utilisateur
su-sigul
Création du répertoire de configuration de <class>Koji</class>
mkdir-p~/.koji
Copie de la configuration par défaut du client <class>Koji</class>
cp/etc/koji.conf~/.koji/config
Copie des certificats Kojiweb dans celui-ci
cp/etc/pki/koji/pem/kojiweb.pem.koji/client.pem
cp/etc/pki/koji/kojica.crt.koji/clientca.crt
cp/etc/pki/koji/kojica.crt.koji/serverca.crt
Après avoir redémarrer le pont <class>Sigul</class>, le client doit être capable d'obtenir un RPM depuis Koji et de le signer.
Test
Pour tester l'interfaçage, on va obtenir un RPM depuis <class>Koji</class>, le signer et le sauvegarder dans le répertoire de travail actuel. c'est juste pour tester la connxion et l'authentification sur <class>Koji</class> et <class>Sigul</class>.
sigulsign-rpm-osigned.rpmkey_nameunsigned.rpm
Si la commande précédente fonctionne, un RPM signé est présent dans le répertoire de travail actuel.
Avant de pouvoir utiliser ce script magique qui va signer tous les RPM non-signés (derniers m-v-r) construit dans le Koji, il est nécessaire de modifier quelques variables:
Changer l'URL du HUB Koji (2 fois): KOJIHUB
Spécifier nos propres fichiers de certificats: SERVERCA, CLIENTCA, CLIENTCERT
Ajout de nos clés de signature: KEYS
Casse de l'ID dans le script sigulsign_unsigned.py GPG rapporte un ID écrit en majuscule mais dans le script, celui-ci doit être renseigné en minuscule pour que le processus fonctionne.
Change koji hostname, certificate files and add B2PWeb signing keys
diff -u a/sigulsign_unsigned.py b/sigulsign_unsigned.py--- a/sigulsign_unsigned.py 2013-08-21 10:05:57.418032284 +0200+++ b/sigulsign_unsigned.py 2013-08-21 10:13:11.683976970 +0200@@ -38,11 +38,11 @@ rpmdict = {}unsigned = []
loglevel = ''
passphrase = ''
-KOJIHUB = 'https://koji.fedoraproject.org/kojihub'+KOJIHUB = 'http://koji.b2pweb.com/kojihub'# Should probably set these from a koji config file
-SERVERCA = os.path.expanduser('~/.fedora-server-ca.cert')-CLIENTCA = os.path.expanduser('~/.fedora-upload-ca.cert')-CLIENTCERT = os.path.expanduser('~/.fedora.cert')+SERVERCA = os.path.expanduser('~/.koji/serverca.crt')+CLIENTCA = os.path.expanduser('~/.koji/clientca.crt')+CLIENTCERT = os.path.expanduser('~/.koji/client.pem')# Setup a dict of our key names as sigul knows them to the actual key ID
# that koji would use. We should get this from sigul somehow.
KEYS = {'fedora-12-sparc': {'id': 'b3eb779b', 'v3': True},
@@ -67,7 +67,9 @@ KEYS = {'fedora-12-sparc': {'id': 'b3eb7 'fedora-10': {'id': '4ebfc273', 'v3': False},
'fedora-10-testing': {'id': '0b86274e', 'v3': False},
'epel-6': {'id': '0608b895', 'v3': True},
- 'epel-5': {'id': '217521f6', 'v3': False}}+ 'epel-5': {'id': '217521f6', 'v3': False},+ 'centos-5-key' : {'id': '773df357', 'v3': True},+ 'centos-6-key' : {'id': 'd3f3c56a', 'v3': True}}def exit(status):
"""End the program using status, report any errors"""
@@ -213,7 +215,7 @@ if not (opts.just_list or opts.just_writ# Reset the KOJIHUB if the target is a secondary arch
if opts.arch:
- KOJIHUB = 'http://%s.koji.fedoraproject.org/kojihub' % opts.arch+ KOJIHUB = 'http://%s.koji.b2pweb.com/kojihub' % opts.arch# setup the koji session
logging.info('Setting up koji session')
kojisession = koji.ClientSession(KOJIHUB)
Signature d'un ou plusieurs paquets
C'est utile afin de signer des paquets qui ne sont pas les derniers construits (dernier N-V-R)