[csw-maintainers] how the catalog signing works

Ben Walton bwalton at opencsw.org
Sat Jul 23 19:27:23 CEST 2011 

Hi All,

I'm going to be on vacation this week and I'll have little to no
connectivity.  As such, I'm sharing a sketch (proper documentation is
still in progress) of how the catalog signing works so that if it
breaks others can troubleshoot it.

On the designated zone (named cswsign) there is an account named
catalogsign.  Anyone needing access to this account should have their
ssh key seeded there.

The code for the daemon is at /opt/catalog_signatures.  In the
directory is a README file with more details than I'll include here.
The basics are that if the pass phrase expires, you should run:
/opt/catalog_signatures/bin/reset_passphrase.  This should connect you
to the screen session where you should see a prompt from the
monitoring agent.  Hit Enter and then type in the passphrase.

If for some reason you need to restart the whole machinery, kill the
screen session entirely and then the gpg-agent process.  Next, run:
/opt/catalog_signatures/bin/signing_daemon.  This starts up a screen
session where the web daemon lives.  You'll be prompted for the
passphrase.  Once that has been properly entered, the web daemon will
be ready and then the monitoring agent will be started in a second
screen terminal.  Once everything is running use the 'd' (detach)
command in screen to fully background everything.

When you're connected to the screen session, screen 0 is the
verification monitor and screen 1 is the stdout from the web daemon.
These have labels on them if you use the " (quote) command in screen.

Access logs for the web daemon are in /opt/catalog_signatures/log.
I'll eventually move the stdout to this directory as well.

The monitor cannot currently emit email so the sign of breakage at the
3 day interval will be that the generate-unstable script will die when
the signature fails.  Dago (at least) should get an email in this
situation.

The passphrase for the test key is 'secret' (which is no secret at all
*g*).  If you'd like more details, please let me know.  I'll document
this in the wiki at some point (maybe tonight if I have time).

Thanks
-Ben
--
Ben Walton
Systems Programmer - CHASS
University of Toronto
C:416.407.5610 | W:416.978.4302

More information about the maintainers mailing list