FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Build System

 
 
LinkBack Thread Tools
 
Old 12-14-2010, 12:12 PM
Oliver Falk
 
Default Signing built RPMs or how to create signed RPMs.

On 12/14/2010 02:03 PM, Josh Boyer wrote:
> On Tue, Dec 14, 2010 at 7:58 AM, Oliver Falk<oliver@linux-kernel.at> wrote:
>>> There are no dirty tricks. It essentially goes:
>>>
>>> 1) RPMs built in koji
>>> 2) sign_unsigned.py is run against various koji tags. Either
>>> dist-f1x-candidates or dist-f1x-updates-testing, or whichever need to
>>> be signed. NOTE: rawhide is not signed
>>> 3) mash is run against the tag after the RPMs have all been signed.
>>> 4) Bodhi does some symlink switching after all the mashes have
>>> completed successfully and the new repos are pushed to the mirrors.
>>>
>>> That's it. No tricks, nothing super efficient.
>>>
>>> At some point, there was discussion on having koji do the signing
>>> automatically after a build completes. I think that is still a long
>>> term plan, but it requires a project to use a single key for all
>>> packages.
>>
>>
>> Sorry Josh. This wasn't meant as offence! I just never saw any
>> documentation about this part - maybe I just didn't look hard enough. :-)
>
> Oh, I wasn't offended in the slightest.

Fine.

> If anything I was wishing we had dirty tricks, because how it is
> done right now is fairly inefficient.

That's true!

> And yes, there should be more documentation in this area under the
> RelEng SOPs. I'll take the blame for that, as I never got around to
> writing it.

:-) I know that problem!

-of
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 12-14-2010, 12:20 PM
Christos Triantafyllidis
 
Default Signing built RPMs or how to create signed RPMs.

On Dec 14, 2010, at 2:50 PM, Josh Boyer wrote:

> On Tue, Dec 14, 2010 at 2:49 AM, Oliver Falk <oliver@linux-kernel.at> wrote:
>> Hi Allen!
>>
>> I'm not sure how the Fedora guys do it... There's a lot of black
>> (scripting) magic involved I guess. :-)
>>
>> And yes, the script is already using the the larger key size, but that's
>> not hard to "fix"...
>>
>> Come on guys, show us your dirty little tricks! :-P
>
> There are no dirty tricks. It essentially goes:
>
> 1) RPMs built in koji
> 2) sign_unsigned.py is run against various koji tags. Either
> dist-f1x-candidates or dist-f1x-updates-testing, or whichever need to
> be signed. NOTE: rawhide is not signed
> 3) mash is run against the tag after the RPMs have all been signed.
> 4) Bodhi does some symlink switching after all the mashes have
> completed successfully and the new repos are pushed to the mirrors.
>
> That's it. No tricks, nothing super efficient.
>
> At some point, there was discussion on having koji do the signing
> automatically after a build completes. I think that is still a long
> term plan, but it requires a project to use a single key for all
> packages.
>
> josh

Hi Josh, all,

i'm reading this thread and i think that i've missed some point. What is the purpose of signing an RPM if you sign it on an online machine? I haven't seen the sign_unsigned.py source yet but i guess what should be there is a mechanism that should download the unsigned RPMs, then a manual operation of RPM sign (possibly on an offline or at least access restricted node), and then another script to import the signed RPMs (or just the signatures).

Am i seeing this from a wrong perspective? does Fedora really sign the RPMs online? I guess this gets even worse if the sign operation is done more efficiently, automatically after each koji build.

I hope i don't sound offensive, but these were my thoughts as i want/need to implement something like this in our local koji installation and i hoped that you were using something more sophisticated.

Regards,
Christos

--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 12-14-2010, 12:26 PM
Josh Boyer
 
Default Signing built RPMs or how to create signed RPMs.

On Tue, Dec 14, 2010 at 8:20 AM, Christos Triantafyllidis
<ctria@grid.auth.gr> wrote:
> Hi Josh, all,
>
> *i'm reading this thread and i think that i've missed some point. What is the purpose of signing an RPM if you sign it on an online machine? I haven't seen the sign_unsigned.py source yet but i guess what should be there is a mechanism that should download the unsigned RPMs, then a manual operation of RPM sign (possibly on an offline or at least access restricted node), and then another script to import the signed RPMs (or just the signatures).

sign_unsigned.py uses sigul under the covers to do the actual RPM signing.

> *Am i seeing this from a wrong perspective? does Fedora really sign the RPMs online? I guess this gets even worse if the sign operation is done more efficiently, automatically after each koji build.

No, currently the signing is done on a secure node. There is a sigul
bridge that interfaces with sigul client requests and a secure node in
the datacenter that can only talk to that bridge. It is not
accessible via http, ssh, etc. The server signs the RPMs using the
keys.

Additionally, the server also generates those keys and stores them
locally. Authenticated users can request it sign an RPM with a
particular key, but those users don't actually have access to that key
at all. The gpg key never leaves the sigul server. This is much
better than what was previously done, as that required sending the
key(s) to trusted individuals on multiple machines.

josh
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 12-14-2010, 05:17 PM
Jesse Keating
 
Default Signing built RPMs or how to create signed RPMs.

On 12/13/10 9:54 PM, Allen Hewes wrote:
>
>>
>> Hi Allen!
>>
>> You might want to look at the following post:
>>
>> http://www.mail-archive.com/fedora-buildsys-list@redhat.com/ms
> g02187.html
>>
>> -of
>
> Hi Oliver,
>
> Thanks for link. I had not come across this thread.
>
> It would appear that currently there isn't any method to sign RPMs
> within koji or mash. You can import prebuilt RPMs with signatures
> into Koji. I don't know much about importing RPMs into koji because I
> haven't had a need.
>
> Do the Fedora guys use the sign_unsigned.py script for the official
> Fedora yum repos? If so, how do they use mash? Because it looks to me
> that if you use this script, it does one of the steps mash does;
> fetching RPMs out of koji tags.
>
> I would have guessed that the Fedora guys generate their yum repos
> via mash from koji tags and then sign RPMs.
>
> I'd have to modify this script to suit my needs, but I think I could
> do it. It also looks like it relies on a newer version of RPM, the
> rpm command for key size == 4096 is one spot I noticed.
>
> Also, I have to enter a passphrase when I sign my RPMs but this
> script doesn't have any provisions for that. Is there a way to make
> rpm --resign not prompt for a passphrase?
>
> Has there been any talk about adding RPM signing to mash? It seems
> like that'd be a good place for it.
>

I think there is some confusion here. sign_unsigned.py was our old
tool. I wrote a new one when we started using the sigul secure signing
backend.
https://fedorahosted.org/rel-eng/browser/scripts/sigulsign_unsigned.py

This client interacts with the sigul bridge, which then interacts with
the sigul server to actually rpmsign the files. Then the signed headers
get imported into koji, and we ask koji to write out a set of the rpms
with the signed headers. It's these signed copies that mash would fetch
(if so configured).

Because we do composes in automated or semi-automated fashion, and often
these composes re-use many existing packages, it doesn't make sense to
mash and then some hours later come back to punch in a passphrase to
(re)sign a ton of rpms. We sign and store them in koji so that they can
be fetched later by automated tools.

--
Jesse Keating
Fedora -- Freedom˛ is a feature!
identi.ca: http://identi.ca/jkeating


--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 12-14-2010, 05:26 PM
Jesse Keating
 
Default Signing built RPMs or how to create signed RPMs.

On 12/14/10 5:20 AM, Christos Triantafyllidis wrote:
> Hi Josh, all,
>
> i'm reading this thread and i think that i've missed some point. What
> is the purpose of signing an RPM if you sign it on an online machine?

The purpose of the signature is to provide something downstream
consumers can check to ensure that the build came from a Fedora source
control and the Fedora build system. We don't intend our signatures to
provide anything beyond that. The "online" machine in question is very
secure, as secure as we can reasonably make it with open source tools.
I'm not aware of a reasonable way to feed hundreds of thousands of rpms
into an /offline/ machine to sign them, and then cart all of them back
/off/ the offline machine and back onto a network.

Our package store, many TBs large, exists in a datacenter where the only
access is remote. This is a fact of our infrastructure and one that we
have to deal with. Creating sigul as Josh described is our effort to
secure the process as much as possible, while remaining a open project
that provides access to more than just Red Hat employees.

> I haven't seen the sign_unsigned.py source yet but i guess what
> should be there is a mechanism that should download the unsigned
> RPMs, then a manual operation of RPM sign (possibly on an offline or
> at least access restricted node), and then another script to import
> the signed RPMs (or just the signatures).

You really should start reading the sources then. You've basically
described how sigul and sigulsign_unsigned works.

The sigulsign_unsigned script takes in options and data such as what
builds to sign, or what koji tag to sign, and what key to use. It will
prompt you for your personal passphrase for a particular key (every user
has their own, nobody knows the real key passphrase). This data is
passed along to the sigul bridge which is semi-restricted. The bridge
operates against our account system to validate user certs, and with the
"vault" which is a very secure and limited access machine where the
actual gpg keys live. The bridge fetches the unsigned rpms, passes them
to the vault. The vault signs them and passes back the signed header,
which the bridge will import into koji.

>
> Am i seeing this from a wrong perspective? does Fedora really sign
> the RPMs online? I guess this gets even worse if the sign operation
> is done more efficiently, automatically after each koji build.

If "online" matches the above, then yes. And we are moving to a point
where we can sign each package as it completes a build in koji. The
only "worse" part is that we'd have one more extremely limited access
machine with cached credentials to a "buildsystem" key so that it can
detect a finished build, enact a sign+import of said build. As I stated
before the GPG key is only intended to validate that the build happened
in an "official" way on "official" Fedora resources. Nothing beyond that.

> I hope i don't sound offensive, but these were my thoughts as i
> want/need to implement something like this in our local koji
> installation and i hoped that you were using something more
> sophisticated.


--
Jesse Keating
Fedora -- Freedom˛ is a feature!
identi.ca: http://identi.ca/jkeating


--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 12-14-2010, 05:47 PM
Christos Triantafyllidis
 
Default Signing built RPMs or how to create signed RPMs.

Hi Jesse,
thanks for these clarifications, actually what Josh already written in his last mail was more or less what i wanted to see. I'm glad that you have such a mechanism for secure "online" signatures already in place. Thus i'll just copy setup/idea and then try to make it fit my needs. .

I just got a little bit disappointed in the thought of "we automatically sign whatever gets out from our koji" on an online machine (so why not the koji itself) and have consumers trust that this "build by Fedora based Fedora's SCM". What Josh and you described are totally fine for me.

Thanks again,
Christos

On Dec 14, 2010, at 8:26 PM, Jesse Keating wrote:

> On 12/14/10 5:20 AM, Christos Triantafyllidis wrote:
>> Hi Josh, all,
>>
>> i'm reading this thread and i think that i've missed some point. What
>> is the purpose of signing an RPM if you sign it on an online machine?
>
> The purpose of the signature is to provide something downstream
> consumers can check to ensure that the build came from a Fedora source
> control and the Fedora build system. We don't intend our signatures to
> provide anything beyond that. The "online" machine in question is very
> secure, as secure as we can reasonably make it with open source tools.
> I'm not aware of a reasonable way to feed hundreds of thousands of rpms
> into an /offline/ machine to sign them, and then cart all of them back
> /off/ the offline machine and back onto a network.
>
> Our package store, many TBs large, exists in a datacenter where the only
> access is remote. This is a fact of our infrastructure and one that we
> have to deal with. Creating sigul as Josh described is our effort to
> secure the process as much as possible, while remaining a open project
> that provides access to more than just Red Hat employees.
>
>> I haven't seen the sign_unsigned.py source yet but i guess what
>> should be there is a mechanism that should download the unsigned
>> RPMs, then a manual operation of RPM sign (possibly on an offline or
>> at least access restricted node), and then another script to import
>> the signed RPMs (or just the signatures).
>
> You really should start reading the sources then. You've basically
> described how sigul and sigulsign_unsigned works.
>
> The sigulsign_unsigned script takes in options and data such as what
> builds to sign, or what koji tag to sign, and what key to use. It will
> prompt you for your personal passphrase for a particular key (every user
> has their own, nobody knows the real key passphrase). This data is
> passed along to the sigul bridge which is semi-restricted. The bridge
> operates against our account system to validate user certs, and with the
> "vault" which is a very secure and limited access machine where the
> actual gpg keys live. The bridge fetches the unsigned rpms, passes them
> to the vault. The vault signs them and passes back the signed header,
> which the bridge will import into koji.
>
>>
>> Am i seeing this from a wrong perspective? does Fedora really sign
>> the RPMs online? I guess this gets even worse if the sign operation
>> is done more efficiently, automatically after each koji build.
>
> If "online" matches the above, then yes. And we are moving to a point
> where we can sign each package as it completes a build in koji. The
> only "worse" part is that we'd have one more extremely limited access
> machine with cached credentials to a "buildsystem" key so that it can
> detect a finished build, enact a sign+import of said build. As I stated
> before the GPG key is only intended to validate that the build happened
> in an "official" way on "official" Fedora resources. Nothing beyond that.
>
>> I hope i don't sound offensive, but these were my thoughts as i
>> want/need to implement something like this in our local koji
>> installation and i hoped that you were using something more
>> sophisticated.
>
>
> --
> Jesse Keating
> Fedora -- Freedom˛ is a feature!
> identi.ca: http://identi.ca/jkeating
>
>
> --
> buildsys mailing list
> buildsys@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/buildsys
>

--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 12-14-2010, 06:20 PM
Mike McLean
 
Default Signing built RPMs or how to create signed RPMs.

On 12/14/2010 03:45 AM, Vijay N. Majagaonkar wrote:
> Hi All,
>
> I m new to this system forgive me if i am doing something wrong here !
>
> We can add sing key to build-tag at the time of creating tag..
>
> [vijay@koji ~]$ koji add-tag --help
> Usage: koji add-tag [options] name
> (Specify the --help global option for a list of other help options)
>
> Options:
> -h, --help show this help message and exit
> --parent=PARENT Specify parent
> --arches=ARCHES Specify arches
> * --sigkey=SIGKEY Specify signing key*

I'm not quite sure what you mean. Koji's add-tag subcommand does not and
has never supported a --sigkey option. Is this actual output or are you
proposing a new feature?
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 12-14-2010, 07:00 PM
Oliver Falk
 
Default Signing built RPMs or how to create signed RPMs.

Hi Jesse!

Just want to mention, that sigul might be a bit too much effort for a
private (or even corporate) koji setup...

-of

Am 14.12.2010 19:17, schrieb Jesse Keating:
> On 12/13/10 9:54 PM, Allen Hewes wrote:
>>
>>>
>>> Hi Allen!
>>>
>>> You might want to look at the following post:
>>>
>>> http://www.mail-archive.com/fedora-buildsys-list@redhat.com/ms
>> g02187.html
>>>
>>> -of
>>
>> Hi Oliver,
>>
>> Thanks for link. I had not come across this thread.
>>
>> It would appear that currently there isn't any method to sign RPMs
>> within koji or mash. You can import prebuilt RPMs with signatures
>> into Koji. I don't know much about importing RPMs into koji because I
>> haven't had a need.
>>
>> Do the Fedora guys use the sign_unsigned.py script for the official
>> Fedora yum repos? If so, how do they use mash? Because it looks to me
>> that if you use this script, it does one of the steps mash does;
>> fetching RPMs out of koji tags.
>>
>> I would have guessed that the Fedora guys generate their yum repos
>> via mash from koji tags and then sign RPMs.
>>
>> I'd have to modify this script to suit my needs, but I think I could
>> do it. It also looks like it relies on a newer version of RPM, the
>> rpm command for key size == 4096 is one spot I noticed.
>>
>> Also, I have to enter a passphrase when I sign my RPMs but this
>> script doesn't have any provisions for that. Is there a way to make
>> rpm --resign not prompt for a passphrase?
>>
>> Has there been any talk about adding RPM signing to mash? It seems
>> like that'd be a good place for it.
>>
>
> I think there is some confusion here. sign_unsigned.py was our old
> tool. I wrote a new one when we started using the sigul secure signing
> backend.
> https://fedorahosted.org/rel-eng/browser/scripts/sigulsign_unsigned.py
>
> This client interacts with the sigul bridge, which then interacts with
> the sigul server to actually rpmsign the files. Then the signed headers
> get imported into koji, and we ask koji to write out a set of the rpms
> with the signed headers. It's these signed copies that mash would fetch
> (if so configured).
>
> Because we do composes in automated or semi-automated fashion, and often
> these composes re-use many existing packages, it doesn't make sense to
> mash and then some hours later come back to punch in a passphrase to
> (re)sign a ton of rpms. We sign and store them in koji so that they can
> be fetched later by automated tools.
>

--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 12-14-2010, 07:33 PM
Mike McLean
 
Default Signing built RPMs or how to create signed RPMs.

On 12/14/2010 03:00 PM, Oliver Falk wrote:
> Just want to mention, that sigul might be a bit too much effort for a
> private (or even corporate) koji setup...

I'm not sure that's true. Koji is already a pretty complex system. sigul
is not that much more work. I think it just needs better documentation.
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 12-14-2010, 07:45 PM
Oliver Falk
 
Default Signing built RPMs or how to create signed RPMs.

Am 14.12.2010 21:33, schrieb Mike McLean:
> On 12/14/2010 03:00 PM, Oliver Falk wrote:
>> Just want to mention, that sigul might be a bit too much effort for a
>> private (or even corporate) koji setup...
>
> I'm not sure that's true. Koji is already a pretty complex system. sigul
> is not that much more work. I think it just needs better documentation.

From a security point of view, you are totally right. If you already
use koji and did this complex setup, there's really no reason to not
also do the sigul setup. In the world of virtual machines, a small
signing host, might not be a big stunt anyway.

-of
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 

Thread Tools




All times are GMT. The time now is 04:27 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org