| |
@@ -10,6 +10,13 @@
|
| |
|
| |
Sigul is the signing server that holds our keys. To make use of a new key, it must be created and access to the key granted. The `new-key`, `grant-key-access`, and `change-passphrase` commands are used.
|
| |
|
| |
+ These are to be running on `bodhi-backend01` machine.
|
| |
+
|
| |
+ [source, bash]
|
| |
+ ----
|
| |
+ $ ssh bodhi-backend01.iad2.fedoraproject.org
|
| |
+ ----
|
| |
+
|
| |
[source, bash]
|
| |
----
|
| |
$ sigul new-key --help
|
| |
@@ -93,7 +100,14 @@
|
| |
|
| |
[NOTE]
|
| |
====
|
| |
+ You can add --key-admin=true here to make a particular user key-admin for the key
|
| |
+ ====
|
| |
+
|
| |
+ [NOTE]
|
| |
+ ====
|
| |
**IMPORTANT:** Grant access to the autopen user as it's required for robosignatory autosigning and then restart the robosignatory service.
|
| |
+ Make sure when granting key access you should use the autosign/robosignatory passphrase.
|
| |
+
|
| |
====
|
| |
|
| |
. Provide the key name and temporary passphrase to signers. If they don't respond, revoke access until they are ready to change their passphrase. Signers can change their passphrase using the `change-passphrase` command:
|
| |
@@ -119,6 +133,20 @@
|
| |
|
| |
to add a new one.
|
| |
|
| |
+ === Adding Certificates for IMA Keys
|
| |
+
|
| |
+ We now need to create an IMA certificate signed by our Sigul CA and get it to the kernel maintainers. This must be done after the IMA key is created.
|
| |
+
|
| |
+ [source, bash]
|
| |
+ ----
|
| |
+ $ sigul -v -v sign-certificate fedorasigulca fedora-41-ima --issuer-certificate-name fedorasigulca --subject-certificate-name fedoraimafourtyone --validity 2y --certificate-type codesigning --subject "CN=Fedora 41 IMA Code-signing cert" > fedora-41-ima.pem
|
| |
+ ----
|
| |
+
|
| |
+ NOTE: Change the name from `41/fourtyone` to the appropriate release version.
|
| |
+
|
| |
+ We need to find the best way to get the certificate to the kernel maintainers. It is recommended to ask them directly. Additionally, we need to add it to `fedora-repos` like the other keys.
|
| |
+
|
| |
+
|
| |
=== fedora-repos
|
| |
|
| |
The `fedora-repos` package houses a copy of the public key information. This is used by RPM to verify the signature on files encountered. Currently, the `fedora-repos` package has a single key file named after the version of the key and the arch the key is for.
|
| |
@@ -443,7 +471,7 @@
|
| |
|
| |
=== Koji
|
| |
|
| |
- Log into koji02.phx2.fedoraproject.org by way of bastion.fedoraproject.org.
|
| |
+ Log into koji02.iad2.fedoraproject.org by way of bastion.fedoraproject.org.
|
| |
|
| |
Verify that ``/etc/koji-gc/koji-gc.conf`` has the new key in it.
|
| |
|
| |
Signed-off-by: Samyak Jain samyak.jn11@gmail.com