[csw-maintainers] ideas

Ben Walton bwalton at opencsw.org
Thu Jul 14 03:28:19 CEST 2011


Excerpts from Maciej Bliziński's message of Wed Jul 13 03:55:28 -0400 2011:

> Sharing of the gpg-agent is on the user level, so being able to run as
> the same user on the same host lets you access the key, is that
> correct?

Yes.  And root, of course.


> How does the verification script reach the signing daemon?

The initialization uses --write-env-file and the verification daemon
sources this.  It's not keychain driven, but it's the same principle.

> I need more instructions (URLs?). The best I could do so far, was:
> 
> maciej at login [login]:~/src/opencsw-git/gar/v2 > curl -s
> http://unstable9x.bo.opencsw.org:9981/clearsign/current/i386/5.10
> 500 There was a problem processing the request.

This means the agent had timed out.

> Looks good enough for now.  In the target setup, the verification
> daemon will also verify signatures of individual packages, so
> trusting the NFS share will not be necessary.

Adding individual package signatures will be a lot more work.  Each
maintainer will need a key for which we'd need to collect the public
half, etc.  I think this is definitely worthwhile, but lets leave that
until we have basic package flow in place.

> > We'd need to make the signing agent sign catalog.update or
> > catalog.new or something instead of catalog as presumably catalog
> > would be the previously clear signed file.  (I'm still happy to
> > see clear signed catalogs go away in favour of a detached
> > signature.)
> 
> +1

After discussing this with Peter in irc a bit today, I think we should
stick with clear signing for now.  Changing this would break pkg-get
and although we're not tied to that any more, there's no need break it
right out of the gate.  Peter is thinking of some json-based catalog
stuff anyway, so maybe when he's ready to tackle that problem, we can
choose a new name for the file, continue generating legacy catalogs
and then do the new catalog file plus a detached signature for it.

> Sounds great!  Can you show an example of the signing daemon usage?

This should be as simple as a curl call from the script that is going
to push a mirror update.

for catalog in unstable current; do
    for arch in i386 sparc; do
    	for rel in 5.9 5.10 5.11; do
	    curl -s http://cswsign:9981/clearsign/$catalog/$arch/$rel \
    > catalog.updated && mv catalog.updated catalog
        done
    done
done

Dago has set up a private zone on the farm to run the signing agent.
It's called cswsign as per the example above.  I'm continuing
development on there as soon as I hit send on this.

Thanks
-Ben
--
Ben Walton
Systems Programmer - CHASS
University of Toronto
C:416.407.5610 | W:416.978.4302



More information about the maintainers mailing list