Objective
Securely sign automatically, all of the different release artifacts that need to be signed.
Use Cases
In addition to rpms that we sign today we need to be able to sign the following
CHECKSUM Files
We use a command like:
for checksum in $(find $BASE/$RELEASEVER/$COMPOSEID/compose/ -name *CHECKSUM); do cat $checksum >/tmp/sum && NSS_HASH_ALG_SUPPORT=+MD5 sigul --batch sign-text -o /tmp/signed $KEY /tmp/sum $pass && chmod 644 /tmp/signed && sudo mv /tmp/signed $checksum done
Ideally I think we pass in a compose, the signing box then finds and signs all CHECKSUMS.
OStree repo commits
This needs further investigation, however it does need detached signatures. we need to evaluate how to add the commits to the ostree repo
repodata
To provide an extra layer of protection for users, and verification for the openh264 repo we need to make detached signatures of repomd.xml
for file in $(find ~/24-openh264-20160422 -name repomd.xml); do NSS_HASH_ALG_SUPPORT=+MD5 sigul sign-data fedora-24 $file -o $file.asc; chmod 644 $file.asc; done
Signing interface
We need to have a way to request that something gets signed and determine how the signed things get written to disk
hardware
We have a physical box. The thinking is that the passwords for a sigul user will be stored on the box, that will only be accessible by serial console and only to a limited set of users. The service will proxy signing requests, possibly authenticating via ssl cert or fedmsg or some other method.