calligrabot

Clone
Source Code
GIT

calligrabot

Created 2 years ago
Maintained by bstinson
A robosignatory driver for the CentOS Stream signing service
Star 0
Watch 2
Watch Issues and PRs
Watch Commits
Watch Issues, PRs, and Commits
Unwatch
Reset watch status
Members 2
Merlin Mathesius committed 2 years ago

calligrabot

A robosignatory driver for the CentOS Stream signing service.

Calligrabot takes care of downloading RPMs from Koji, securely signing them, and uploading the signed RPMs back to Koji.

This is deployed via ansible. The CentOS Stream deployment role and the configuration files are stored in this repo.

Configuration

"calligrabot" is the name of a robosignatory.signing.helpers setuptools entry point.

The calligrabot driver is enabled by setting backend = "calligrabot" in the [consumer_config.signing] section of the robosignatory configuration file, /etc/fedora-messaging/robosignatory.toml, along with specifying the principal and keytab.

For example:

...
[consumer_config]

    [consumer_config.signing]
    backend = "calligrabot"
    user = "calligrabot"
    principal = "autosign/signer.redhat.com@REDHAT.COM"
    keytab = "/etc/krb5.signer.redhat.com.keytab"
    ima_key = "ima-keyname"
    dry_run = false
    # calligrabot config details are contained within this config file so
    # config_file needs to be self-referential
    config_file = "/etc/fedora-messaging/robosignatory.toml"

    [consumer_config.koji_instances]
        [consumer_config.koji_instances.primary]
        url = "https://kojihub.stream.rdu2.redhat.com/kojihub"
        weburl = "https://kojihub.stream.centos.org/koji"
        topurl = "http://kojihub.stream.centos.org/kojifiles"
...

Command Line Usage

Calligrabot has a command line interface, /usr/bin/calligrabot, which is a wrapper for Red Hat's internal rpm-sign utility that takes care of the actual secure signing of RPMs. /usr/bin/calligrabot is also called directly by the "calligrabot" robosignatory driver.

$ calligrabot --help
Usage: calligrabot [OPTIONS] COMMAND [ARGS]...

Options:
  -d, --debug             Enable debugging output
  -n, --dry-run           Dry run mode
  -c, --config-file FILE  Path to the configuration file
  -u, --user-name TEXT    User name
  -p, --principal TEXT    Kerberos principal
  -k, --keytab TEXT       Kerberos keytab
  --help                  Show this message and exit.

Commands:
  sign-rpms

$ calligrabot sign-rpms --help
Usage: calligrabot sign-rpms [OPTIONS] KEYNAME [RPMS]...

Options:
  -i, --koji-instance TEXT  Use the specified Koji instance
  --help                    Show this message and exit.

$ calligrabot -u _username_ sign-rpms _key_ howdy-1-1.el9.noarch.rpm

Development

Code style

Please format code using black -l 79.

Unit-testing

Install packages required to test the python scripts:

$ sudo dnf install -y \
    python3-robosignatory \
    tox

Run the tests:

$ make test

License

MIT (see LICENSE file)

Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.