Yup, "industry grade" secure signing is a whole different ballgame. This
feature is aimed towards the shallow end of the pool - casual local builders,
and driving wholly unsigned packages to extinction in that space. One should
keep in mind that the driving force for this change is enabling the enforcing
signature check mode by default in rpm: how to keep local builds convenient in
that setup without pushing users to --nosignature on everything.
What follows is more or less a braindump of what I've been thinking about, if
it seems half mad, I have the excuse of poor nights sleep :sweat_smile:
Thoughts and comments very welcome, this is all very much subject to change:
- rpmbuild always signs the packages it builds (unless explicitly disabled by
config/cli switch)
- if a pre-existing key is configured it will use that
- if no key is configured for signing
- rpm will create one for you automatically
- a passwordless sign-only key with *something like*
`rpmbuild-${USER}@${HOSTNAME}` as the userid/email
- configure this as the signing key for future builds
- export the ascii-armored pubkey to a suitable location in home, with a
message explaining how to import it to rpm
Of course the "casual local builder" is a somewhat extinct use-case to begin
with, mock and such replacing most of the direct rpmbuild uses. The
copr/koji/obs etc all manage their own signing, so mock (and similar other
tools) are perhaps the bigger question mark in this.
The above logic would presumably create a key per each mock buildroot, I don't
know that's sensible. Mock has its own signing plugin too, but you need to
specifically configure and enable it. But, it'll merrily use rpm's configured
signing key if told to, so one can use the one on the "host" for that. So
maybe, the key generation should only occur on interactive (think isatty())
builds. Automated build + install cycles will need *some* updating anyhow:
either they need to import keys, or use --nosignature for installing. Mock
configs could default to enable signing plugin by default on rpm >= 6.0 distros.
With all that said, I find myself wondering whether the rpmbuild-level
automation is worth it at all. Could we instead maybe ship a helper script that
sets it up for you, including creating a key if needed and including mock
autosign config if mock is present?
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2678#issuecomment-2497787688
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2678/2497787...@github.com>_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
https://lists.rpm.org/mailman/listinfo/rpm-maint
