[Mageia-sysadm] [814] - add a module to generate gnupg key ( similar to the one for openssl

Michael Scherer misc at zarb.org
Mon Jan 17 18:19:35 CET 2011


> > >
> > > How do we sign
> > > ==============
> > >
> > > Again, point 3 have a impact here. Either we sign when uploaded, using
> > > youri, or using a custom action ( as current one do not permit to change
> > > uid ), or we use some custom cronjob to sign.
> 
> I vote too for using a custom action, to store the key on a separate
> account, and use it with a script run with sudo.
> 
> It can be done with a cron job too, but it will slower I think. Is there
> any advantage doing it with a cron job ?

No. But as we will also use a cronjob to recreate hdlist, this would
have made sense maybe.

> > >
> > > Or we sign when the release is made.
> 
> That would mean having unsigned cauldron packages ?

that would ease the PLF hidden secret plan, but no, I wanted to say
"resign packages".

> > >
> > > I would recommend using a custom action, as privilege separation sound
> > > like a good idea. I would prefer to avoid signing again the day of
> > > release, for reasons that were already given.
> > >
> > >
> > > Bonus, usage of the module :
> > > ============================
> > >
> > >    gnupg::keys { "cauldron":
> > >        email => "root@$domain",
> > >        key_name => "John the plop",
> > >        key_length => "4096"
> > >    }
> > >
> > > create a key cauldron.sec and cauldron.pub in /etc/gnupg/keys/. I am not
> > > sure of the format ( maybe have it exported would be good ), and I am
> > > not sure that putting everything in this directory is the good location.
> 
> What are the permissions and owner on this directory ?

root, 600.
See in the module ( I really need to install viewvc to give url to the
file ).

-- 
Michael Scherer



More information about the Mageia-sysadm mailing list