FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > RPM Package Manager

 
 
LinkBack Thread Tools
 
Old 10-07-2008, 11:17 PM
Lev Lvovsky
 
Default signing RPMs without a passphrase?

Is it possible to sign an RPM without being asked the passphrase for
the signing key? It hampers automated RPM creation to be asked for
the passphrase when building them. Otherwise, is the only other
option just batch signing the RPMs after they've been created?


thanks,
-lev

_______________________________________________
Rpm-list mailing list
Rpm-list@redhat.com
https://www.redhat.com/mailman/listinfo/rpm-list
 
Old 10-07-2008, 11:26 PM
"Aaron Hanson"
 
Default signing RPMs without a passphrase?

https://www.redhat.com/archives/rpm-list/2004-March/msg00109.html

>-----Original Message-----
>From: rpm-list-bounces@redhat.com [mailto:rpm-list-bounces@redhat.com]
>On Behalf Of Lev Lvovsky
>Sent: Tuesday, October 07, 2008 4:18 PM
>To: rpm-list@redhat.com
>Subject: signing RPMs without a passphrase?
>
>Is it possible to sign an RPM without being asked the passphrase for
>the signing key? It hampers automated RPM creation to be asked for
>the passphrase when building them. Otherwise, is the only other
>option just batch signing the RPMs after they've been created?
>
>thanks,
>-lev
>
>_______________________________________________
>Rpm-list mailing list
>Rpm-list@redhat.com
>https://www.redhat.com/mailman/listinfo/rpm-list

_______________________________________________
Rpm-list mailing list
Rpm-list@redhat.com
https://www.redhat.com/mailman/listinfo/rpm-list
 
Old 10-08-2008, 12:16 AM
Jeff Johnson
 
Default signing RPMs without a passphrase?

Well 2004 was a long time ago. Times have changed too ...

FWIW, rpm-5 uses keyutils to store passphrases.

Which means that its possible to us keyutils to manage
a persistent session pass phrase, loaded before rpm is invoked,
and the passphrase will be passed to gpg for signinging packages.

But you can attempt signing without a pass phrase if you want too.

73 de Jeff

On Oct 7, 2008, at 7:26 PM, Aaron Hanson wrote:


https://www.redhat.com/archives/rpm-list/2004-March/msg00109.html


-----Original Message-----
From: rpm-list-bounces@redhat.com [mailto:rpm-list-
bounces@redhat.com]

On Behalf Of Lev Lvovsky
Sent: Tuesday, October 07, 2008 4:18 PM
To: rpm-list@redhat.com
Subject: signing RPMs without a passphrase?

Is it possible to sign an RPM without being asked the passphrase for
the signing key? It hampers automated RPM creation to be asked for
the passphrase when building them. Otherwise, is the only other
option just batch signing the RPMs after they've been created?

thanks,
-lev

_______________________________________________
Rpm-list mailing list
Rpm-list@redhat.com
https://www.redhat.com/mailman/listinfo/rpm-list


_______________________________________________
Rpm-list mailing list
Rpm-list@redhat.com
https://www.redhat.com/mailman/listinfo/rpm-list


_______________________________________________
Rpm-list mailing list
Rpm-list@redhat.com
https://www.redhat.com/mailman/listinfo/rpm-list
 
Old 10-09-2008, 04:00 PM
Lev Lvovsky
 
Default signing RPMs without a passphrase?

thank you *Jeff*!

The first response in the link provided just seemed a little off-base
to me. There's nothing intrinsically more secure about me typing in
some passphrase vs. an automated procedure just skipping the step -
AFAIK, GPG is used to provide file signature verification (along with
mdt5 and whatever other hash algo. is employed). But it's also used
to verify the entity that the RPM came from - an identity which the
installer chooses to trust, passphrase notwithstanding. Am I missing
something there?


I'll check out keyutils - thank you very much for your help Jeff!

-lev

On Oct 7, 2008, at 5:16 PM, Jeff Johnson wrote:


Well 2004 was a long time ago. Times have changed too ...

FWIW, rpm-5 uses keyutils to store passphrases.

Which means that its possible to us keyutils to manage
a persistent session pass phrase, loaded before rpm is invoked,
and the passphrase will be passed to gpg for signinging packages.

But you can attempt signing without a pass phrase if you want too.

73 de Jeff

On Oct 7, 2008, at 7:26 PM, Aaron Hanson wrote:


https://www.redhat.com/archives/rpm-list/2004-March/msg00109.html


-----Original Message-----
From: rpm-list-bounces@redhat.com [mailto:rpm-list-bounces@redhat.com
]

On Behalf Of Lev Lvovsky
Sent: Tuesday, October 07, 2008 4:18 PM
To: rpm-list@redhat.com
Subject: signing RPMs without a passphrase?

Is it possible to sign an RPM without being asked the passphrase for
the signing key? It hampers automated RPM creation to be asked for
the passphrase when building them. Otherwise, is the only other
option just batch signing the RPMs after they've been created?

thanks,
-lev

_______________________________________________
Rpm-list mailing list
Rpm-list@redhat.com
https://www.redhat.com/mailman/listinfo/rpm-list


_______________________________________________
Rpm-list mailing list
Rpm-list@redhat.com
https://www.redhat.com/mailman/listinfo/rpm-list


_______________________________________________
Rpm-list mailing list
Rpm-list@redhat.com
https://www.redhat.com/mailman/listinfo/rpm-list


_______________________________________________
Rpm-list mailing list
Rpm-list@redhat.com
https://www.redhat.com/mailman/listinfo/rpm-list
 
Old 10-09-2008, 04:19 PM
"Jay Yarbrough"
 
Default signing RPMs without a passphrase?

My personal preference is to batch sign them after creation. However,
it should also be possible to use 'expect' to pass in the passphrase
during the build process.

-----Original Message-----
From: rpm-list-bounces@redhat.com [mailto:rpm-list-bounces@redhat.com]
On Behalf Of Lev Lvovsky
Sent: Thursday, October 09, 2008 11:01 AM
To: RPM Package Manager
Subject: Re: signing RPMs without a passphrase?

thank you *Jeff*!

The first response in the link provided just seemed a little off-base
to me. There's nothing intrinsically more secure about me typing in
some passphrase vs. an automated procedure just skipping the step -
AFAIK, GPG is used to provide file signature verification (along with
mdt5 and whatever other hash algo. is employed). But it's also used
to verify the entity that the RPM came from - an identity which the
installer chooses to trust, passphrase notwithstanding. Am I missing
something there?

I'll check out keyutils - thank you very much for your help Jeff!

-lev

On Oct 7, 2008, at 5:16 PM, Jeff Johnson wrote:

> Well 2004 was a long time ago. Times have changed too ...
>
> FWIW, rpm-5 uses keyutils to store passphrases.
>
> Which means that its possible to us keyutils to manage
> a persistent session pass phrase, loaded before rpm is invoked,
> and the passphrase will be passed to gpg for signinging packages.
>
> But you can attempt signing without a pass phrase if you want too.
>
> 73 de Jeff
>
> On Oct 7, 2008, at 7:26 PM, Aaron Hanson wrote:
>
>> https://www.redhat.com/archives/rpm-list/2004-March/msg00109.html
>>
>>> -----Original Message-----
>>> From: rpm-list-bounces@redhat.com
[mailto:rpm-list-bounces@redhat.com
>>> ]
>>> On Behalf Of Lev Lvovsky
>>> Sent: Tuesday, October 07, 2008 4:18 PM
>>> To: rpm-list@redhat.com
>>> Subject: signing RPMs without a passphrase?
>>>
>>> Is it possible to sign an RPM without being asked the passphrase for
>>> the signing key? It hampers automated RPM creation to be asked for
>>> the passphrase when building them. Otherwise, is the only other
>>> option just batch signing the RPMs after they've been created?
>>>
>>> thanks,
>>> -lev
>>>
>>> _______________________________________________
>>> Rpm-list mailing list
>>> Rpm-list@redhat.com
>>> https://www.redhat.com/mailman/listinfo/rpm-list
>>
>> _______________________________________________
>> Rpm-list mailing list
>> Rpm-list@redhat.com
>> https://www.redhat.com/mailman/listinfo/rpm-list
>
> _______________________________________________
> Rpm-list mailing list
> Rpm-list@redhat.com
> https://www.redhat.com/mailman/listinfo/rpm-list

_______________________________________________
Rpm-list mailing list
Rpm-list@redhat.com
https://www.redhat.com/mailman/listinfo/rpm-list

_______________________________________________
Rpm-list mailing list
Rpm-list@redhat.com
https://www.redhat.com/mailman/listinfo/rpm-list
 
Old 10-09-2008, 04:40 PM
Lev Lvovsky
 
Default signing RPMs without a passphrase?

Hi Jay,

On Oct 9, 2008, at 9:19 AM, Jay Yarbrough wrote:


My personal preference is to batch sign them after creation. However,
it should also be possible to use 'expect' to pass in the passphrase
during the build process.


It looks like that's what other have recommended too - it wouldn't be
too difficult, but we're looking for a more standard way of doing
this. It could be argued that a passphrase is required to be
"standard", but I'll omit that from my argument


RE the batch signing - I'd thought of that as well, but our RPM
creation tools create an RPM repository in the process, so remembering
to batch sign them would be a human-required intervention.


thanks!
-lev

_______________________________________________
Rpm-list mailing list
Rpm-list@redhat.com
https://www.redhat.com/mailman/listinfo/rpm-list
 
Old 10-09-2008, 04:46 PM
Lev Lvovsky
 
Default signing RPMs without a passphrase?

Jeff,

On Oct 7, 2008, at 5:16 PM, Jeff Johnson wrote:


Well 2004 was a long time ago. Times have changed too ...

FWIW, rpm-5 uses keyutils to store passphrases.

Which means that its possible to us keyutils to manage
a persistent session pass phrase, loaded before rpm is invoked,
and the passphrase will be passed to gpg for signinging packages.

But you can attempt signing without a pass phrase if you want too.


In my excitement, I assumed a bit too much about the system that
you've described - from the following rpm-devel thread:


http://rpm5.org/community/rpm-devel/1440.html

It looks like this implementation has been discussed, but I've not
found any documentation on how to actually use it - is there any out
there?


thanks,
-lev

_______________________________________________
Rpm-list mailing list
Rpm-list@redhat.com
https://www.redhat.com/mailman/listinfo/rpm-list
 
Old 10-09-2008, 05:30 PM
Jeff Johnson
 
Default signing RPMs without a passphrase?

On Oct 9, 2008, at 12:00 PM, Lev Lvovsky wrote:


thank you *Jeff*!

The first response in the link provided just seemed a little off-
base to me. There's nothing intrinsically more secure about me
typing in some passphrase vs. an automated procedure just skipping
the step - AFAIK, GPG is used to provide file signature verification
(along with mdt5 and whatever other hash algo. is employed). But
it's also used to verify the entity that the RPM came from - an
identity which the installer chooses to trust, passphrase
notwithstanding. Am I missing something there?




There are two issues that you are attaching to signing:

1) Point of origin
2) untampered guarantee

They are really separate issues.

FWIW, RPMTAG_COOKIE was rpm's attempt to pin down origin
sufficiently well. That string has the fully qualified host name as
well as a time stamp.

Yes both DNS and time can be wrong or maliciously tampered with.

Yes there is information leakage of build system internals through
RPMTAG_COOKIE too.

But RPMTAG_COOKIE could be used to split point-of-origin from
untampered if some other content were supplied there instead.

And if anyone knows a signing algorithm that does not require
a pubkey distribution framework in order for end-user to verify
integrity, I'll

be happy to just automate the integrity signing within rpmbuild
everywhere and always.


I'll check out keyutils - thank you very much for your help Jeff!



Note that keyutils also has a way to provide an asynchronous callback,
with negative "NOKEY" return caching to avoid pointless overhead,
as well.

keyutils == nice stuff

73 de Jeff

_______________________________________________
Rpm-list mailing list
Rpm-list@redhat.com
https://www.redhat.com/mailman/listinfo/rpm-list
 
Old 10-09-2008, 05:36 PM
Jeff Johnson
 
Default signing RPMs without a passphrase?

On Oct 9, 2008, at 12:46 PM, Lev Lvovsky wrote:


Jeff,

On Oct 7, 2008, at 5:16 PM, Jeff Johnson wrote:


Well 2004 was a long time ago. Times have changed too ...

FWIW, rpm-5 uses keyutils to store passphrases.

Which means that its possible to us keyutils to manage
a persistent session pass phrase, loaded before rpm is invoked,
and the passphrase will be passed to gpg for signinging packages.

But you can attempt signing without a pass phrase if you want too.


In my excitement, I assumed a bit too much about the system that
you've described - from the following rpm-devel thread:


http://rpm5.org/community/rpm-devel/1440.html

It looks like this implementation has been discussed, but I've not
found any documentation on how to actually use it - is there any out
there?




There's not much from an rpm POV to document.

The entire implementation is in rpmio/rpmku.c if interested.

If you are interested in a persistent session key, then you
need to this configuration
%_keyutils_keyring session
iirc.

Then use keyutils utilities to load the GPG password
into the keyutils retrieval token
rpmasswd

And its up to the user to protect their keyutils session keyring
through whatever means they choose.

73 de Jeff

you need to change this macro:


thanks,
-lev

_______________________________________________
Rpm-list mailing list
Rpm-list@redhat.com
https://www.redhat.com/mailman/listinfo/rpm-list


_______________________________________________
Rpm-list mailing list
Rpm-list@redhat.com
https://www.redhat.com/mailman/listinfo/rpm-list
 
Old 10-09-2008, 06:21 PM
"Wichmann, Mats D"
 
Default signing RPMs without a passphrase?

Jay Yarbrough wrote:
> My personal preference is to batch sign them after creation. However,
> it should also be possible to use 'expect' to pass in the passphrase
> during the build process.

Sure it is.

The issue some people have with this is if you truly automate
it this way, there may be a tendency to leave a passphrase,
in clear text, lying around in the script on the build system,
which has some implications for how far people are likely to
trust that signing key. Just something to be consider. In
the project I'm involved with we consider that okay in the case
of nightly-build automated packages, but we use different
signing keys that do we do not use in an autosign scenario
for things that are presented as releases.


_______________________________________________
Rpm-list mailing list
Rpm-list@redhat.com
https://www.redhat.com/mailman/listinfo/rpm-list
 

Thread Tools




All times are GMT. The time now is 08:36 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org