Skip to content

sign-rpms: remove GPG_PASSPHRASE #2126

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ktdreyer wants to merge 1 commit into
base: main
Choose a base branch
from
Open

sign-rpms: remove GPG_PASSPHRASE #2126

ktdreyer wants to merge 1 commit into from

Conversation

@ktdreyer
Copy link
Contributor

@ktdreyer ktdreyer commented Apr 7, 2023

We don't need this argument, and I'm not sure it ever worked.

I entered the passphrase (Nitrokey PIN) into gpg-agent prior to running this script, and that seems sufficient.

@ktdreyer
sign-rpms: remove GPG_PASSPHRASE
c7e14e6 
We don't need this argument, and I'm not sure it ever worked.

I entered the passphrase (Nitrokey PIN) into gpg-agent prior to running
this script, and that seems sufficient.
@ktdreyer ktdreyer requested review from dmick and zmc April 7, 2023 15:51
@ktdreyer
Copy link
Contributor Author

ktdreyer commented Apr 7, 2023
edited
Loading

Well, maybe this needs more experimentation. I thought the workflow was:

  1. David boots the VM
  2. David runs a command to unlock gpg-agent once (echo hi | gpg --clearsign -u security@ceph.com would bring up the pinentry prompt)
  3. Someone does a release, using the already-unlocked gpg-agent

I've never tested --passphrase with a hardware signing device before. And the question of "how widely do we share the PIN" (assuming the PIN is the passphrase?)...

@dmick
Copy link
Member

dmick commented Jul 26, 2023

@ktdreyer what do you think is the right path forward with this?

@ktdreyer
Copy link
Contributor Author

ktdreyer commented Aug 24, 2023

Recording the notes from our discussion today here, the path forward would be:

  1. Document the correct / expected way to activate gpg-agent (someone has to enter the PIN, minimally after every boot. We should not share that PIN widely.)
  2. Instead of this giant echo yes | ... command, we should experiment with a more modern way to sign RPMs with this hardware signer. I think we can simply run rpmsign --define "_gpg_name security@example.com" --addsign *.rpm as documented in Koji's docs
  3. Merge add RPM signing support merfi#65, so we have the implementation in unit-testable Python, and we don't have to maintain this script any more

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zmc zmc Awaiting requested review from zmc

@dmick dmick Awaiting requested review from dmick

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ktdreyer @dmick