EMI package signing procedure
Preparing the Signing Infrastructure
- Generate a key like this
- Generate a revocation certificate like this. Probably this will not be used, but always good to have one.
- Back up the key in this way
- Nominate a place where public key will be published, and circulate this information using the relevant lists and tools. See here.
- Nominate 2 people who are allowed to own the key and who know the password, they will be the signing responsible persons (SRPs). See here.
Signing Procedure
Generating the key
GnuPG
is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC4880.
Steps followed to generate the EMI signing key: - Disconnect the computer from the network, disable wifi and bluetooth
- Create a temporarly directory
mydir=`mktemp -d /tmp/tmpXXXXXX` chmod 700 $mydir export GNUPGHOME="$mydir" gpg --gen-keyAnswer the questions, choose key length 2048 and no expire time.. - Back up the key immediately to a USB drive
- Delete the directories
rm -rf $mydir unset $GNUPGHOME - Completely delete the file from the hard disk (using "shred" utility)
shred -fv -n 30 --remove $mydir/* - Unmount and remove USB drive, reboot computer.
- Now, the computer can be reconnected to the network.
Generating the revocation certificate
A revocation certificate is necessary if the private key has been compromised or its password lost. Probably this will not be used, but always good to have one.
gpg --output revoke.asc --gen-revoke keyID
The generated revocation certificate is short. It was printed out on a networkless-printer and keep separately from the private key, but still in a very safe place.
Backing up the key
- The public part of the key was exported using:
gpg -ao certifkey.pub --export keyID
- The private part was exported using:
gpg -ao certifkey.key --export-secret-keys keyID
- Backed up a paper copy of the private key and on a USB drive
Compromised key
Password is compromised
If the password of the private key has been compromised but not used, one can change the password on the private key, by using
gpg --edit-key keyID passwd
Private key is compromised
If there is a chance that the private key is compromised is wikk be revoked immediately. If the public key was part of a keyring, then the revocation certificate will be posted to the same keyring exactly the same way as it was posted the key. The keyring servers are add-only, so there is no way to withdraw a revocation certificate. Once it is posted the key is revoked.Publishing the key
The public part of the key is:- published on the project's website together with it's fingerprint.
- included in the emi-release package, in file /etc/pki/rpm-gpg/RPM-GPG-KEY-emi
Signing rpm packages
Import the key
In order to sign the package one has to import the keys. To restore the key from the backup, simply import it with
gpg --import certifkey.key
Signing the packages
Once the component release candidates are declared verified by the SA1 QC team, before moving the packages from the Candidate Release repository into the EMI Production repository, the signing of the packages will take place:- copy the packages from the Candidate Release repository to the signing-dedicated-machine
- disconnect the signing-dedicated-machine from the network
- restore the key from the back-up
gpg --import certifkey.key
- import the public key to the RPM DB and add to the
~/.rpmmacrosfile the following information
%_signature gpg
%_gpg_path /path/to/key_dir/
%_gpg_name <Name which is in the gpg key>
- if package was not signed before
# rpm --addsign *.rpm
- or overwrite and re-sign the package
# rpm --resign *.rpm
- verify the signatures
- check that the public key is in the RPM database:
rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
-
- check the rpm
rpm -K package.rpm
- remove the keys
- reconnect the signing-dedicated-machine to the network and copy the package in the EMI production repository
How to verify the signed packages
When you would like to check digital signature, you need to import the public key into the RPM database:
wget http://.../RPM-GPG-KEY-emi
rpm --import RPM-GPG-KEY-emi
To check that the public key has really been imported use the command
rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
To check the signed packages use the command:
rpm -K package.rpm
References
- How to sign your custom RPM package with GPG Key
- RPM signing howto
- GPG HowTos
- GPG FAQ
- The Strong Distribution Model
Topic revision: r9 - 2014-05-27 - DoinaCristinaAiftimiei
EMI Web
News
Events
Procedures and Tools
Mailing Lists
Documents
Project Structure
Create New Topic
Index
Search
Changes
Statistics
- ABATBEA
- ACPP
- ADCgroup
- AEGIS
- AfricaMap
- AgileInfrastructure
- ALICE
- AliceEbyE
- AliceSPD
- AliceSSD
- AliceTOF
- AliFemto
- ALPHA
- Altair
- ArdaGrid
- ASACUSA
- AthenaFCalTBAna
- Atlas
- AtlasLBNL
- AXIALPET
- CAE
- CALICE
- CDS
- CENF
- CERNSearch
- CLIC
- Cloud
- CloudServices
- CMS
- Controls
- CTA
- CvmFS
- DB
- DefaultWeb
- DESgroup
- DPHEP
- DM-LHC
- DSSGroup
- EGEE
- EgeePtf
- ELFms
- EMI
- ETICS
- FIOgroup
- FlukaTeam
- Frontier
- Gaudi
- GeneratorServices
- GuidesInfo
- HardwareLabs
- HCC
- HEPIX
- ILCBDSColl
- ILCTPC
- IMWG
- Inspire
- IPv6
- IT
- ItCommTeam
- ITCoord
- ITdeptTechForum
- ITDRP
- ITGT
- ITSDC
- LAr
- LCG
- LCGAAWorkbook
- Leade
- LHCAccess
- LHCAtHome
- LHCb
- LHCgas
- LHCONE
- LHCOPN
- LinuxSupport
- Main
- Medipix
- Messaging
- MPGD
- NA49
- NA61
- NA62
- NTOF
- Openlab
- PDBService
- Persistency
- PESgroup
- Plugins
- PSAccess
- PSBUpgrade
- R2Eproject
- RCTF
- RD42
- RFCond12
- RFLowLevel
- ROXIE
- Sandbox
- SocialActivities
- SPI
- SRMDev
- SSM
- Student
- SuperComputing
- Support
- SwfCatalogue
- TMVA
- TOTEM
- TWiki
- UNOSAT
- Virtualization
- VOBox
- WITCH
- XTCA
 |
|
Copyright &© 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback