Add cert details and notes to create release signing keys
Signed-off-by: Samyak Jain <samyak.jn11@gmail.com>
This commit is contained in:
Samyak Jain
parent
3baf1b9c98
commit
bb16b70b8f
1 changed files with 29 additions and 1 deletions
|
|
@ -10,6 +10,13 @@ At the beginning of each release under development, a new package signing key is
|
|||
|
||||
Sigul is the signing server that holds our keys. To make use of a new key, it must be created and access to the key granted. The `new-key`, `grant-key-access`, and `change-passphrase` commands are used.
|
||||
|
||||
These are to be running on `bodhi-backend01` machine.
|
||||
|
||||
[source, bash]
|
||||
----
|
||||
$ ssh bodhi-backend01.iad2.fedoraproject.org
|
||||
----
|
||||
|
||||
[source, bash]
|
||||
----
|
||||
$ sigul new-key --help
|
||||
|
|
@ -91,9 +98,16 @@ $ sigul new-key --key-admin ausil --key-type ECC fedora-23-ima
|
|||
$ sigul grant-key-access fedora-23 kevin
|
||||
----
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
You can add --key-admin=true here to make a particular user key-admin for the key
|
||||
====
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
**IMPORTANT:** Grant access to the autopen user as it's required for robosignatory autosigning and then restart the robosignatory service.
|
||||
Make sure when granting key access you should use the autosign/robosignatory passphrase.
|
||||
|
||||
====
|
||||
|
||||
. Provide the key name and temporary passphrase to signers. If they don't respond, revoke access until they are ready to change their passphrase. Signers can change their passphrase using the `change-passphrase` command:
|
||||
|
|
@ -119,6 +133,20 @@ sigul_setup_client
|
|||
|
||||
to add a new one.
|
||||
|
||||
=== Adding Certificates for IMA Keys
|
||||
|
||||
We now need to create an IMA certificate signed by our Sigul CA and get it to the kernel maintainers. This must be done after the IMA key is created.
|
||||
|
||||
[source, bash]
|
||||
----
|
||||
$ sigul -v -v sign-certificate fedorasigulca fedora-41-ima --issuer-certificate-name fedorasigulca --subject-certificate-name fedoraimafourtyone --validity 2y --certificate-type codesigning --subject "CN=Fedora 41 IMA Code-signing cert" > fedora-41-ima.pem
|
||||
----
|
||||
|
||||
NOTE: Change the name from `41/fourtyone` to the appropriate release version.
|
||||
|
||||
We need to find the best way to get the certificate to the kernel maintainers. It is recommended to ask them directly. Additionally, we need to add it to `fedora-repos` like the other keys.
|
||||
|
||||
|
||||
=== fedora-repos
|
||||
|
||||
The `fedora-repos` package houses a copy of the public key information. This is used by RPM to verify the signature on files encountered. Currently, the `fedora-repos` package has a single key file named after the version of the key and the arch the key is for.
|
||||
|
|
@ -443,7 +471,7 @@ You may wish to do this in a tempoary directory to make cleaning it up easy.
|
|||
|
||||
=== Koji
|
||||
|
||||
Log into koji02.phx2.fedoraproject.org by way of bastion.fedoraproject.org.
|
||||
Log into koji02.iad2.fedoraproject.org by way of bastion.fedoraproject.org.
|
||||
|
||||
Verify that ``/etc/koji-gc/koji-gc.conf`` has the new key in it.
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue