Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sign-rpms: remove GPG_PASSPHRASE #2126

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

sign-rpms: remove GPG_PASSPHRASE #2126

wants to merge 1 commit into from

Conversation

ktdreyer
Copy link
Member

@ktdreyer ktdreyer commented Apr 7, 2023

We don't need this argument, and I'm not sure it ever worked.

I entered the passphrase (Nitrokey PIN) into gpg-agent prior to running this script, and that seems sufficient.

@ktdreyer
sign-rpms: remove GPG_PASSPHRASE
c7e14e6 
We don't need this argument, and I'm not sure it ever worked.

I entered the passphrase (Nitrokey PIN) into gpg-agent prior to running
this script, and that seems sufficient.
@ktdreyer ktdreyer requested review from zmc and dmick April 7, 2023 15:51
@ktdreyer
Copy link
Member Author

ktdreyer commented Apr 7, 2023
edited

Well, maybe this needs more experimentation. I thought the workflow was:

  1. David boots the VM
  2. David runs a command to unlock gpg-agent once (echo hi | gpg --clearsign -u security@ceph.com would bring up the pinentry prompt)
  3. Someone does a release, using the already-unlocked gpg-agent

I've never tested --passphrase with a hardware signing device before. And the question of "how widely do we share the PIN" (assuming the PIN is the passphrase?)...

@dmick
Copy link
Member

dmick commented Jul 26, 2023

@ktdreyer what do you think is the right path forward with this?

@ktdreyer
Copy link
Member Author

Recording the notes from our discussion today here, the path forward would be:

  1. Document the correct / expected way to activate gpg-agent (someone has to enter the PIN, minimally after every boot. We should not share that PIN widely.)
  2. Instead of this giant echo yes | ... command, we should experiment with a more modern way to sign RPMs with this hardware signer. I think we can simply run rpmsign --define "_gpg_name security@example.com" --addsign *.rpm as documented in Koji's docs
  3. Merge add RPM signing support merfi#65, so we have the implementation in unit-testable Python, and we don't have to maintain this script any more

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zmc zmc Awaiting requested review from zmc

@dmick dmick Awaiting requested review from dmick

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ktdreyer @dmick