[Mageia-sysadm] package signing

Sat Jan 22 21:42:44 CET 2011

Le vendredi 21 janvier 2011 à 12:31 +0100, Michael scherer a écrit :
+> On Thu, Jan 20, 2011 at 07:55:38PM +0100, nicolas vigier wrote:
+> > Hello,
+> > 
+> > I have started setup of package signing (and will continue tomorrow,
+> > unless someone do it before).
+> > 
+> > What has been done :
+> >  - signbot user created
+> >  - signbot user added in schedbot group (to have write access on package
+> >    files)
+> >  - created script mga-signpackage to sign a package (in mdv-youri-submit
+> >    bin directory), to be installed as /usr/bin/mga-signpackage
+> >  - updated Sign action in mdv-youri-submit to run mga-signpackage script
+> >    with "sudo -u signbot"
+> > What remains to be done :
+> 
+> - push our sign action upstream 
+> 
+> >  - add sudoers config to allow schedbot to run mga-signpackage script
+> >    with signbot account
+> >  - change permissions on package directories, to allow write access for
+> >    schedbot group
+> >  - generate key with gnupg puppet module (maybe update the module to be
+> >    able to change the path for keys)
+> 
+> - decide on the policy for gpg key, decide if we need to sign it or not.
+
+We should also look for potential key revocation system too, in case of
+compromission. However, I never looked more than the basics of the
+theory.
+
+-- 
+Michael Scherer
+
+