bwalton at opencsw.org
Thu Jul 14 03:28:19 CEST 2011
Excerpts from Maciej Bliziński's message of Wed Jul 13 03:55:28 -0400 2011:
> Sharing of the gpg-agent is on the user level, so being able to run as
> the same user on the same host lets you access the key, is that
Yes. And root, of course.
> How does the verification script reach the signing daemon?
The initialization uses --write-env-file and the verification daemon
sources this. It's not keychain driven, but it's the same principle.
> I need more instructions (URLs?). The best I could do so far, was:
> maciej at login [login]:~/src/opencsw-git/gar/v2 > curl -s
> 500 There was a problem processing the request.
This means the agent had timed out.
> Looks good enough for now. In the target setup, the verification
> daemon will also verify signatures of individual packages, so
> trusting the NFS share will not be necessary.
Adding individual package signatures will be a lot more work. Each
maintainer will need a key for which we'd need to collect the public
half, etc. I think this is definitely worthwhile, but lets leave that
until we have basic package flow in place.
> > We'd need to make the signing agent sign catalog.update or
> > catalog.new or something instead of catalog as presumably catalog
> > would be the previously clear signed file. (I'm still happy to
> > see clear signed catalogs go away in favour of a detached
> > signature.)
After discussing this with Peter in irc a bit today, I think we should
stick with clear signing for now. Changing this would break pkg-get
and although we're not tied to that any more, there's no need break it
right out of the gate. Peter is thinking of some json-based catalog
stuff anyway, so maybe when he's ready to tackle that problem, we can
choose a new name for the file, continue generating legacy catalogs
and then do the new catalog file plus a detached signature for it.
> Sounds great! Can you show an example of the signing daemon usage?
This should be as simple as a curl call from the script that is going
to push a mirror update.
for catalog in unstable current; do
for arch in i386 sparc; do
for rel in 5.9 5.10 5.11; do
curl -s http://cswsign:9981/clearsign/$catalog/$arch/$rel \
> catalog.updated && mv catalog.updated catalog
Dago has set up a private zone on the farm to run the signing agent.
It's called cswsign as per the example above. I'm continuing
development on there as soon as I hit send on this.
Systems Programmer - CHASS
University of Toronto
C:416.407.5610 | W:416.978.4302
More information about the maintainers