signing RPMs without a passphrase?
Is it possible to sign an RPM without being asked the passphrase for
the signing key? It hampers automated RPM creation to be asked for the passphrase when building them. Otherwise, is the only other option just batch signing the RPMs after they've been created? thanks, -lev _______________________________________________ Rpm-list mailing list Rpm-list@redhat.com https://www.redhat.com/mailman/listinfo/rpm-list |
signing RPMs without a passphrase?
https://www.redhat.com/archives/rpm-list/2004-March/msg00109.html
>-----Original Message----- >From: rpm-list-bounces@redhat.com [mailto:rpm-list-bounces@redhat.com] >On Behalf Of Lev Lvovsky >Sent: Tuesday, October 07, 2008 4:18 PM >To: rpm-list@redhat.com >Subject: signing RPMs without a passphrase? > >Is it possible to sign an RPM without being asked the passphrase for >the signing key? It hampers automated RPM creation to be asked for >the passphrase when building them. Otherwise, is the only other >option just batch signing the RPMs after they've been created? > >thanks, >-lev > >_______________________________________________ >Rpm-list mailing list >Rpm-list@redhat.com >https://www.redhat.com/mailman/listinfo/rpm-list _______________________________________________ Rpm-list mailing list Rpm-list@redhat.com https://www.redhat.com/mailman/listinfo/rpm-list |
signing RPMs without a passphrase?
Well 2004 was a long time ago. Times have changed too ...
FWIW, rpm-5 uses keyutils to store passphrases. Which means that its possible to us keyutils to manage a persistent session pass phrase, loaded before rpm is invoked, and the passphrase will be passed to gpg for signinging packages. But you can attempt signing without a pass phrase if you want too. 73 de Jeff On Oct 7, 2008, at 7:26 PM, Aaron Hanson wrote: https://www.redhat.com/archives/rpm-list/2004-March/msg00109.html -----Original Message----- From: rpm-list-bounces@redhat.com [mailto:rpm-list- bounces@redhat.com] On Behalf Of Lev Lvovsky Sent: Tuesday, October 07, 2008 4:18 PM To: rpm-list@redhat.com Subject: signing RPMs without a passphrase? Is it possible to sign an RPM without being asked the passphrase for the signing key? It hampers automated RPM creation to be asked for the passphrase when building them. Otherwise, is the only other option just batch signing the RPMs after they've been created? thanks, -lev _______________________________________________ Rpm-list mailing list Rpm-list@redhat.com https://www.redhat.com/mailman/listinfo/rpm-list _______________________________________________ Rpm-list mailing list Rpm-list@redhat.com https://www.redhat.com/mailman/listinfo/rpm-list _______________________________________________ Rpm-list mailing list Rpm-list@redhat.com https://www.redhat.com/mailman/listinfo/rpm-list |
signing RPMs without a passphrase?
thank you *Jeff*!
The first response in the link provided just seemed a little off-base to me. There's nothing intrinsically more secure about me typing in some passphrase vs. an automated procedure just skipping the step - AFAIK, GPG is used to provide file signature verification (along with mdt5 and whatever other hash algo. is employed). But it's also used to verify the entity that the RPM came from - an identity which the installer chooses to trust, passphrase notwithstanding. Am I missing something there? I'll check out keyutils - thank you very much for your help Jeff! -lev On Oct 7, 2008, at 5:16 PM, Jeff Johnson wrote: Well 2004 was a long time ago. Times have changed too ... FWIW, rpm-5 uses keyutils to store passphrases. Which means that its possible to us keyutils to manage a persistent session pass phrase, loaded before rpm is invoked, and the passphrase will be passed to gpg for signinging packages. But you can attempt signing without a pass phrase if you want too. 73 de Jeff On Oct 7, 2008, at 7:26 PM, Aaron Hanson wrote: https://www.redhat.com/archives/rpm-list/2004-March/msg00109.html -----Original Message----- From: rpm-list-bounces@redhat.com [mailto:rpm-list-bounces@redhat.com ] On Behalf Of Lev Lvovsky Sent: Tuesday, October 07, 2008 4:18 PM To: rpm-list@redhat.com Subject: signing RPMs without a passphrase? Is it possible to sign an RPM without being asked the passphrase for the signing key? It hampers automated RPM creation to be asked for the passphrase when building them. Otherwise, is the only other option just batch signing the RPMs after they've been created? thanks, -lev _______________________________________________ Rpm-list mailing list Rpm-list@redhat.com https://www.redhat.com/mailman/listinfo/rpm-list _______________________________________________ Rpm-list mailing list Rpm-list@redhat.com https://www.redhat.com/mailman/listinfo/rpm-list _______________________________________________ Rpm-list mailing list Rpm-list@redhat.com https://www.redhat.com/mailman/listinfo/rpm-list _______________________________________________ Rpm-list mailing list Rpm-list@redhat.com https://www.redhat.com/mailman/listinfo/rpm-list |
signing RPMs without a passphrase?
My personal preference is to batch sign them after creation. However,
it should also be possible to use 'expect' to pass in the passphrase during the build process. -----Original Message----- From: rpm-list-bounces@redhat.com [mailto:rpm-list-bounces@redhat.com] On Behalf Of Lev Lvovsky Sent: Thursday, October 09, 2008 11:01 AM To: RPM Package Manager Subject: Re: signing RPMs without a passphrase? thank you *Jeff*! The first response in the link provided just seemed a little off-base to me. There's nothing intrinsically more secure about me typing in some passphrase vs. an automated procedure just skipping the step - AFAIK, GPG is used to provide file signature verification (along with mdt5 and whatever other hash algo. is employed). But it's also used to verify the entity that the RPM came from - an identity which the installer chooses to trust, passphrase notwithstanding. Am I missing something there? I'll check out keyutils - thank you very much for your help Jeff! -lev On Oct 7, 2008, at 5:16 PM, Jeff Johnson wrote: > Well 2004 was a long time ago. Times have changed too ... > > FWIW, rpm-5 uses keyutils to store passphrases. > > Which means that its possible to us keyutils to manage > a persistent session pass phrase, loaded before rpm is invoked, > and the passphrase will be passed to gpg for signinging packages. > > But you can attempt signing without a pass phrase if you want too. > > 73 de Jeff > > On Oct 7, 2008, at 7:26 PM, Aaron Hanson wrote: > >> https://www.redhat.com/archives/rpm-list/2004-March/msg00109.html >> >>> -----Original Message----- >>> From: rpm-list-bounces@redhat.com [mailto:rpm-list-bounces@redhat.com >>> ] >>> On Behalf Of Lev Lvovsky >>> Sent: Tuesday, October 07, 2008 4:18 PM >>> To: rpm-list@redhat.com >>> Subject: signing RPMs without a passphrase? >>> >>> Is it possible to sign an RPM without being asked the passphrase for >>> the signing key? It hampers automated RPM creation to be asked for >>> the passphrase when building them. Otherwise, is the only other >>> option just batch signing the RPMs after they've been created? >>> >>> thanks, >>> -lev >>> >>> _______________________________________________ >>> Rpm-list mailing list >>> Rpm-list@redhat.com >>> https://www.redhat.com/mailman/listinfo/rpm-list >> >> _______________________________________________ >> Rpm-list mailing list >> Rpm-list@redhat.com >> https://www.redhat.com/mailman/listinfo/rpm-list > > _______________________________________________ > Rpm-list mailing list > Rpm-list@redhat.com > https://www.redhat.com/mailman/listinfo/rpm-list _______________________________________________ Rpm-list mailing list Rpm-list@redhat.com https://www.redhat.com/mailman/listinfo/rpm-list _______________________________________________ Rpm-list mailing list Rpm-list@redhat.com https://www.redhat.com/mailman/listinfo/rpm-list |
signing RPMs without a passphrase?
Hi Jay,
On Oct 9, 2008, at 9:19 AM, Jay Yarbrough wrote: My personal preference is to batch sign them after creation. However, it should also be possible to use 'expect' to pass in the passphrase during the build process. It looks like that's what other have recommended too - it wouldn't be too difficult, but we're looking for a more standard way of doing this. It could be argued that a passphrase is required to be "standard", but I'll omit that from my argument ;) RE the batch signing - I'd thought of that as well, but our RPM creation tools create an RPM repository in the process, so remembering to batch sign them would be a human-required intervention. thanks! -lev _______________________________________________ Rpm-list mailing list Rpm-list@redhat.com https://www.redhat.com/mailman/listinfo/rpm-list |
signing RPMs without a passphrase?
Jeff,
On Oct 7, 2008, at 5:16 PM, Jeff Johnson wrote: Well 2004 was a long time ago. Times have changed too ... FWIW, rpm-5 uses keyutils to store passphrases. Which means that its possible to us keyutils to manage a persistent session pass phrase, loaded before rpm is invoked, and the passphrase will be passed to gpg for signinging packages. But you can attempt signing without a pass phrase if you want too. In my excitement, I assumed a bit too much about the system that you've described - from the following rpm-devel thread: http://rpm5.org/community/rpm-devel/1440.html It looks like this implementation has been discussed, but I've not found any documentation on how to actually use it - is there any out there? thanks, -lev _______________________________________________ Rpm-list mailing list Rpm-list@redhat.com https://www.redhat.com/mailman/listinfo/rpm-list |
signing RPMs without a passphrase?
On Oct 9, 2008, at 12:00 PM, Lev Lvovsky wrote:
thank you *Jeff*! The first response in the link provided just seemed a little off- base to me. There's nothing intrinsically more secure about me typing in some passphrase vs. an automated procedure just skipping the step - AFAIK, GPG is used to provide file signature verification (along with mdt5 and whatever other hash algo. is employed). But it's also used to verify the entity that the RPM came from - an identity which the installer chooses to trust, passphrase notwithstanding. Am I missing something there? There are two issues that you are attaching to signing: 1) Point of origin 2) untampered guarantee They are really separate issues. FWIW, RPMTAG_COOKIE was rpm's attempt to pin down origin sufficiently well. That string has the fully qualified host name as well as a time stamp. Yes both DNS and time can be wrong or maliciously tampered with. Yes there is information leakage of build system internals through RPMTAG_COOKIE too. But RPMTAG_COOKIE could be used to split point-of-origin from untampered if some other content were supplied there instead. And if anyone knows a signing algorithm that does not require a pubkey distribution framework in order for end-user to verify integrity, I'll be happy to just automate the integrity signing within rpmbuild everywhere and always. I'll check out keyutils - thank you very much for your help Jeff! Note that keyutils also has a way to provide an asynchronous callback, with negative "NOKEY" return caching to avoid pointless overhead, as well. keyutils == nice stuff 73 de Jeff _______________________________________________ Rpm-list mailing list Rpm-list@redhat.com https://www.redhat.com/mailman/listinfo/rpm-list |
signing RPMs without a passphrase?
On Oct 9, 2008, at 12:46 PM, Lev Lvovsky wrote:
Jeff, On Oct 7, 2008, at 5:16 PM, Jeff Johnson wrote: Well 2004 was a long time ago. Times have changed too ... FWIW, rpm-5 uses keyutils to store passphrases. Which means that its possible to us keyutils to manage a persistent session pass phrase, loaded before rpm is invoked, and the passphrase will be passed to gpg for signinging packages. But you can attempt signing without a pass phrase if you want too. In my excitement, I assumed a bit too much about the system that you've described - from the following rpm-devel thread: http://rpm5.org/community/rpm-devel/1440.html It looks like this implementation has been discussed, but I've not found any documentation on how to actually use it - is there any out there? There's not much from an rpm POV to document. The entire implementation is in rpmio/rpmku.c if interested. If you are interested in a persistent session key, then you need to this configuration %_keyutils_keyring session iirc. Then use keyutils utilities to load the GPG password into the keyutils retrieval token rpm:passwd And its up to the user to protect their keyutils session keyring through whatever means they choose. 73 de Jeff you need to change this macro: thanks, -lev _______________________________________________ Rpm-list mailing list Rpm-list@redhat.com https://www.redhat.com/mailman/listinfo/rpm-list _______________________________________________ Rpm-list mailing list Rpm-list@redhat.com https://www.redhat.com/mailman/listinfo/rpm-list |
signing RPMs without a passphrase?
Jay Yarbrough wrote:
> My personal preference is to batch sign them after creation. However, > it should also be possible to use 'expect' to pass in the passphrase > during the build process. Sure it is. The issue some people have with this is if you truly automate it this way, there may be a tendency to leave a passphrase, in clear text, lying around in the script on the build system, which has some implications for how far people are likely to trust that signing key. Just something to be consider. In the project I'm involved with we consider that okay in the case of nightly-build automated packages, but we use different signing keys that do we do not use in an autosign scenario for things that are presented as releases. _______________________________________________ Rpm-list mailing list Rpm-list@redhat.com https://www.redhat.com/mailman/listinfo/rpm-list |
| All times are GMT. The time now is 03:48 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.