Open main menu

CDOT Wiki β

Changes

Sigul Signing Server Setup

8 bytes added, 13:36, 14 May 2015
no edit summary
What the server does: The server is completley cutoff from the rest of the world, It should be firewalled off except for incoming ports from the bridge, and should only be able to speak to the bridge, for max security, ensure it has no external access from other machines or even the web. It hold's all of the key files used for signing the RPMS, so no other users will have access to the key files, the server is the only system that knows the keys.
To begin setup, we have to follow a similar process to the bridge with NSS, except that we will import the CA cert generated on the bridge, not generate a new onelocally.
Add bridge hostname to /etc/hosts:
[IP address of the server] sigul-server-hostname
To begin setup, we have to follow a similar process to the bridge with NSS, except that we will import the CA cert generated on the bridge, not generate a new onelocally.
1) Create the NSS database on the client, to hold the certificate information issue the following
5) After configuring your client, issue a test client command in DEBUG mode as follows:
sigul -v -v list-users
* This should return a list of users on the server, at this point it should only really display the one admin user created before
* Help on more commands:
1) As ROOT on the sigul bridge, edit /etc/sigul/bridge.conf edit the koji section as follows:
[koji] koji-config: /path/to/koji/config/file <-- The config file should be that of koji web
2) The koji configuration file and certs can reside under any directory that sigul has atleast read privileges on. The kojiweb certificates that allow kojiweb to authenticate with koji must be copied to this directory, along with the config file which points to the koji instance, as well as the kojiweb certs needed for it to authenticate.
4) To test issue the following on the client, to download and RPM from koji - sign it - and store it locally - Just as a test for koji connectivity and authentication:
sigul sign-rpm -o signed.rpm key_name unsigned.rpm <--  '''key_name ''' should be the name of the sigul key you setup previously. - If the above is successful, you will have an rpm named signed.rpm in the directory you are working in.
=Sigul Client Config Script=