To sign packages we decided to use obs-signd 1. Unfortunately it doesn't manage user keys in any way, but it's possible to minimize Copr operations with gpg key-pairs.
host-sign: secure machine where key-pairs is stored in /usr/share/copr-keygen/gnupg/ it runs:
- [A] perl signd from obs-signd
- [B] copr-keygen service
host-build: backend where builds occurs and result rpms are signed by invocation of /bin/sign [C] from obs-signd
[C] is configured by /etc/sign.conf to access [A] at host-0
When user foo
builds first package, service [B] will be invoked to generate
new keys (they will be contained in the keyring in
GPGHOMEDIR). Also it creates dummy file into PHRASESDIR,
that file indicates that user foo
exists for [A].
Finally [A] can sign packages for user foo
without receiving keys
through network.
copr-backend do everything related to sign through new module backend.sign which either runs [C] or calls [B].
- server: host of machine with signd
ensure that configs/sudoers/copr_signer is copied into /etc/sudoers.d/
- /etc/sign.conf:
- allow: list of backend hosts
- phrases: /var/lib/copr-keygen/phrases -- location of PHRASESDIR
- NB:
- obs-signd always run as root and doesn't accept alternative
GPGHOMEDIR. To overcome this obstacle we added
/usr/bin/gpg_copr.sh
Bash script wrapper which callsgpg2
with correct user and homedir