RFE: automatically sign packages on build #2678
Comments
pmatilai
added
handsfree
|
A couple of thoughts:
|
|
Yup, rpm used to have --sign option to rpmbuild but I removed it for that very reason: back then it asked for the password at the very beginning of a build and then used it to sign any built packages. Note that the actual use-case here is essentially to "allow locally built packages to be installed without --nosignature", rather than something distributors would use. That "install freshly built local packages" case exists even inside buildsystems like koji/copr/mock when chain-building that will eventually sign the packages even now. The security requirements for this kind of thing are quite different from your "real" signing keys. Rpm (currently) uses the key set in %_gpg_name macro, in the form of "whatever gpg will recognize as a key identifier". Also probably not obvious from this ticket is that we're considering adding some real isolation to how builds run even with plain rpmbuild, which would change the landscape a bit. |
|
Oh, and part of the this "automation vision" here would be automatically generating that "local builds" key so that a person just wanting to build and install rpms for their own use basically doesn't need to learn the damnest thing about PGP as the first thing. And not finger-memorize --nosignature as something you normally use (against the background that rpm really, really needs to start requiring signatures by default) |
Now I understand better, thanks. For the case where the rpms are only going to be installed locally, it would be enough to have a local, user-specific rpm-specific key that is used for this type of thing. If the key does not exist, then it is first created. When the user wants to install the rpm, they first need to install the local, user-specific key, which could be done by |
|
Yes, something along those lines. From the user POV, ideally one wouldn't even need the manual import (think something like auto-generated host-specific key on first boot), but that's likely too much of a sacrifice from other perspectives. |
But only root should have access to that key. That's why I was thinking "user-specific". In which case, I think rpm can't automatically import the key safely. |
|
But, in this scenario the user is (or rather, has) root anyway, otherwise they wouldn't be able to install their packages in the first place. So it's this funny dance around how to best serve that case without sacrifing other scenarios. User-specific keys are the most obvious route of course, a host-specific key would solve something but be cumbersome/problematic in other ways. |
|
And yes, because the user is likely root and expected to run rpm/dnf as such, expecting them to run one 'rpmkeys --import' command is not exactly unreasonable. It's largely about finding the right slot(s) to do stuff (such as print meaningful "do this" messages) |
If we automatically signed all built packages, enabling enforcing signature checking by default (#1573) would be much less of an issue because it would no longer require --nosignature in common use-cases.
The gpg-agent stuff seems ill-suited for builds in non-interactive environments. I think rpm5 did something with keyutils(7), that may be something to look into.
The text was updated successfully, but these errors were encountered: