openSUSE:Build Service Signer
目录
描述
openSUSE 构建服务支持使用 GPG 密钥签名 RPM 和 DEB 软件包。这是相对自动化的;然而,signer 的设置却是有点耗时和复杂的;有时还会出现一些您不想看到的问题。还有您得确保设置 signer 的时候您的 OBS 服务器是没有在提供服务的。
指南
所需软件包
您将需要:
- obs-signd 软件包,来自 openSUSE:Tools 软件源
- 一个应用了 files-are-digests.patch 补丁的 gpg2 软件包
obs-signd 软件包 (大约在 2.1.12 版起) 依赖 gpg2_signd_support 虚包,后者是由打过补丁的 gpg2 软件包提供的。
openSUSE 11.3 起我们开始分发有 gpg2_signd_support 的 gpg2。其它发行版请从 openSUSE:Tools 源里拿 gpg2 源代码。
设置 GPG 密钥
您需要以 root 身份使用 gpg 创建一个有多种加密和签名类型的主密钥,方法如下:
$ gpg --gen-key
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 5y
Key expires at Tue Aug 4 12:15:28 2015 CEST
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: 您的构建服务的名称
Email address: 您的邮件地址
Comment:
You selected this USER-ID:
"My Build Service <obsrun@localhost>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
(密码输入窗口)
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2015-08-04
pub 2048R/F86E2EDC 2010-08-05 [expires: 2015-08-04]
Key fingerprint = E020 2A9C 1D89 662C A354 FB37 87DD A101 F86E 2EDC
uid My Build Service <obsrun@localhost>
sub 2048R/D849EAAB 2010-08-05 [expires: 2015-08-04]
因为使用 DSA 签名软件包也是可能的,因此您应该添加一个 DSA 子密钥:
$ gpg --edit F86E2EDC
gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 2048R/F86E2EDC created: 2010-08-05 expires: 2015-08-04 usage: SC
trust: ultimate validity: ultimate
sub 2048R/D849EAAB created: 2010-08-05 expires: 2015-08-04 usage: E
[ultimate] (1). My Build Service <obsrun@localhost>
Command> addkey
(Passphrase dialog.)
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 3
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2015-08-04
把 "2015-08-04" 替换成主密钥的真实日期,子密钥就能和主密钥在同一时间失效。
有些程序[哪些?] 无法处理 DSA 2048,若您受影响了,您可以使用 1024 bit-DSA 密钥。
Key expires at Mon Aug 24 11:59:24 2015 CEST
Is this correct? (y/N) y
Really create? (y/N) y
pub 2048R/F86E2EDC created: 2010-08-05 expires: 2015-08-04 usage: SC
trust: ultimate validity: ultimate
sub 2048R/D849EAAB created: 2010-08-05 expires: 2015-08-04 usage: E
sub 2048D/D5C8DB1B created: 2010-08-05 expires: 2015-08-24 usage: S
[ultimate] (1). My Build Service <obsrun@localhost>
重复添加密钥的步骤,这次选择 Elgamal。(确保您的 Elgamal 密钥是 2048 位[为什么?]。)最后,您就把全部可能被用到的类型都创建在一个密钥中了:
pub 2048R/F86E2EDC created: 2010-08-05 expires: 2015-08-04 usage: SC
trust: ultimate validity: ultimate
sub 2048R/D849EAAB created: 2010-08-05 expires: 2015-08-04 usage: E
sub 2048D/D5C8DB1B created: 2010-08-05 expires: 2015-08-24 usage: S
sub 2048g/D4A6E8F1 created: 2010-08-05 expires: 2015-08-24 usage: E
[ultimate] (1). My Build Service <obsrun@localhost>
准备 signer
您需要创建一个文件夹,/root/.phrases.
在那里创建一个文件,命名为您 GPG 密钥里的邮件地址,在我们的例子里,那就是,obsrun@localhost。文件的内容应该是您密钥的密码,没有任何新行。
现在,运行以下命令:
出于某些原因,sign 将在 /root 和 / 查找密钥。它们必须都存在。
配置 signer
首先导出密钥,好让 OBS 可以使用它...
gpg --armor --export F86E2EDC > /etc/ourkeyfile.asc
编辑 /usr/lib/obs/server/BSConfig.pm。
改成下面这样:
our $gpg_standard_key = "<密钥文件位置>"; # 上面应该是像 "/etc/keyfile.asc" 这样的。 our $sign = '/usr/bin/sign'; # 可以使用项目名称 "--project $NAME" 作为参数来调用 sign our $sign_project = 0; # 全局签名密钥 our $keyfile = '<密钥文件位置>'; # 要是顶级目录没有密钥则默认为新工程创建一个密钥 our $forceprojectkeys = 1;
密钥文件应该是您所创建的密钥,导出为 .asc 格式。 取消注释 $sign,构建服务器就知道要使用 signer 了。
现在,编辑 /etc/sign.conf:
user: obsrun@localhost allowuser: obsrun allow: 127.0.0.1 phrases: /root/.phrases
这将允许使用密钥签名。
若您运行的版本早于 obs-signd-2.1.2 那么 /etc/permissions.d/sign 是没有的,请创建这个文件并添加以下内容:
/usr/bin/sign root:obsrun 4750
创建这个文件后别忘了运行 SuSEconfig --module permissions。
激活 Signer
运行:
sudo systemctl enable obssignd.service sudo systemctl enable obssigner.service sudo systemctl start obssignd.service sudo systemctl start obssigner.service
现在可以愉快地玩耍了。
侦错
--project
$sign_project causes the signer to be called with an extra --project $projectname argument. This is meant for sign implementations other than obs-sign which may do their own key management.<ref>http://lists.opensuse.org/opensuse-buildservice/2010-08/msg00035.html</ref>
No global key
Leaving $keyfile in BSConfig.pm empty/commented out will cause packages in a project that has no signkey available to remain stuck in the "signing" state until signing can be performed.
No secret key found and GNUPGHOME
The /etc/init.d/obssignd from obs-signd-2.1.2-1.1 rpm package sets the GNUPGHOME to /obs/gnupg before starting signd daemon. If you followed the above instructions, your GNUPGHOME will be /root/.gnupg.
One solution is to copy the /root/.gnupg to /obs/gnupg , or use symlinks. Another would be to edit /etc/sysconfig/signd to set up the GNUPGHOME (look at /var/adm/fillup-templates/sysconfig.signd).