Docs/defensive-coding-guide
2
0
Fork 0
Code Issues 3 Pull requests 1 Projects Releases Packages Wiki Activity Actions

link to packaging guidelines on generating certificates

Browse source 
In addition make sure that getrandom() is mentioned.

Resolves #15
This commit is contained in:
Nikos Mavrogiannopoulos 2017-08-23 15:00:03 +02:00
parent ee5ed3cb25
commit 033cc8d450
1 changed files with 13 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

18
en-US/Tasks-Packaging.xml
View file

@ -21,7 +21,8 @@
when preparing system images for use in the cluster is
reasonable. For other use cases, it is necessary to generate
the key pair before the service is started for the first time,
see <xref linkend="sect-Defensive_Coding-Tasks-Packaging-Certificates-Service"/>.
see <xref linkend="sect-Defensive_Coding-Tasks-Packaging-Certificates-Service"/>,
and <ulink url="https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup#Generating_Self-Signed_Certificates">Packaging:Initial Service Setup</ulink>.
</para>
<important>
<para>
@ -149,8 +150,7 @@ fi
Creating the key pair at package installation time (see <xref
linkend="sect-Defensive_Coding-Tasks-Packaging-Certificates"/>)
would put the key into the image, which may or may not make
sense.
</para>
sense. </para>
<important>
<para>
The caveats about the way the key is generated in <xref
@ -163,13 +163,21 @@ fi
early during boot, when the kernel randomness pool has not yet
been initialized. Currently, the only way to check for the
initialization is to look for the kernel message
<literal>random: nonblocking pool is initialized</literal>. In
theory, it is also possible to read from
<literal>random: nonblocking pool is initialized</literal>, or
ensure that the application used for generating the keys
is utilizing the <filename>getrandom()</filename> system call.
</para>
<para>
In theory, it is also possible to use an application which reads from
<filename>/dev/random</filename> while generating the key
material (instead of <filename>/dev/urandom</filename>), but
this can block not just during the boot process, but also much
later at run time, and generally results in a poor user
experience.
</para>
<para>
The requirements for generating such keys is documented at
<ulink url="https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup#Generating_Self-Signed_Certificates">Packaging:Initial Service Setup</ulink>.
</para>
</section>
</chapter>