[Mageia-sysadm] package signing
Michael Scherer
misc at zarb.org
Sat Jan 22 21:42:44 CET 2011
Le vendredi 21 janvier 2011 à 12:31 +0100, Michael scherer a écrit :
> On Thu, Jan 20, 2011 at 07:55:38PM +0100, nicolas vigier wrote:
> > Hello,
> >
> > I have started setup of package signing (and will continue tomorrow,
> > unless someone do it before).
> >
> > What has been done :
> > - signbot user created
> > - signbot user added in schedbot group (to have write access on package
> > files)
> > - created script mga-signpackage to sign a package (in mdv-youri-submit
> > bin directory), to be installed as /usr/bin/mga-signpackage
> > - updated Sign action in mdv-youri-submit to run mga-signpackage script
> > with "sudo -u signbot"
> > What remains to be done :
>
> - push our sign action upstream
>
> > - add sudoers config to allow schedbot to run mga-signpackage script
> > with signbot account
> > - change permissions on package directories, to allow write access for
> > schedbot group
> > - generate key with gnupg puppet module (maybe update the module to be
> > able to change the path for keys)
>
> - decide on the policy for gpg key, decide if we need to sign it or not.
We should also look for potential key revocation system too, in case of
compromission. However, I never looked more than the basics of the
theory.
--
Michael Scherer
More information about the Mageia-sysadm
mailing list