An outline of package sign process in Copr¶
To sign packages we decided to use obs-signd 1. Unfortunately it doesn’t manage user keys in any way, but it’s possible to minimize Copr operations with gpg key-pairs.
host-sign: secure machine where key-pairs is stored in /usr/share/copr-keygen/gnupg/ it runs:
- [A] perl signd from obs-signd
- [B] copr-keygen service
host-build: backend where builds occurs and result rpms are signed by invocation of /bin/sign [C] from obs-signd
[C] is configured by /etc/sign.conf to access [A] at host-0
foo builds first package, service [B] will be invoked to generate
new keys (they will be contained in the keyring in
GPGHOMEDIR). Also it creates dummy file into PHRASESDIR,
that file indicates that user
foo exists for [A].
Finally [A] can sign packages for user
foo without receiving keys
copr-backend do everything related to sign through new module backend.sign which either runs [C] or calls [B].
- server: host of machine with signd
ensure that configs/sudoers/copr_signer is copied into /etc/sudoers.d/
- allow: list of backend hosts
- phrases: /var/lib/copr-keygen/phrases – location of PHRASESDIR
- obs-signd always run as root and doesn’t accept alternative
GPGHOMEDIR. To overcome this obstacle we added
/usr/bin/gpg_coprBash script wrapper which calls
gpg2with correct user and homedir