#312 Add cert details and notes to create release signing keys
Merged 6 months ago by kevin. Opened 6 months ago by jnsamyak.
jnsamyak/infra-docs-fpo add_creating_keys_1  into  master

@@ -10,6 +10,13 @@ 

  

  Sigul is the signing server that holds our keys. To make use of a new key, it must be created and access to the key granted. The `new-key`, `grant-key-access`, and `change-passphrase` commands are used.

  

+ These are to be running on `bodhi-backend01` machine.

+ 

+ [source, bash]

+ ----

+ $ ssh bodhi-backend01.iad2.fedoraproject.org

+ ----

+ 

  [source, bash]

  ----

  $ sigul new-key --help
@@ -93,7 +100,14 @@ 

  

  [NOTE]

  ====

+ You can add --key-admin=true here to make a particular user key-admin for the key

+ ====

+ 

+ [NOTE]

+ ====

  **IMPORTANT:** Grant access to the autopen user as it's required for robosignatory autosigning and then restart the robosignatory service.

+ Make sure when granting key access you should use the autosign/robosignatory passphrase.

+ 

  ====

  

  . Provide the key name and temporary passphrase to signers. If they don't respond, revoke access until they are ready to change their passphrase. Signers can change their passphrase using the `change-passphrase` command:
@@ -119,6 +133,20 @@ 

  

  to add a new one.

  

+ === Adding Certificates for IMA Keys

+ 

+ We now need to create an IMA certificate signed by our Sigul CA and get it to the kernel maintainers. This must be done after the IMA key is created.

+ 

+ [source, bash]

+ ----

+ $ sigul -v -v sign-certificate fedorasigulca fedora-41-ima --issuer-certificate-name fedorasigulca --subject-certificate-name fedoraimafourtyone --validity 2y --certificate-type codesigning --subject "CN=Fedora 41 IMA Code-signing cert" > fedora-41-ima.pem

+ ----

+ 

+ NOTE: Change the name from `41/fourtyone` to the appropriate release version.

+ 

+ We need to find the best way to get the certificate to the kernel maintainers. It is recommended to ask them directly. Additionally, we need to add it to `fedora-repos` like the other keys.

+ 

+ 

  === fedora-repos

  

  The `fedora-repos` package houses a copy of the public key information. This is used by RPM to verify the signature on files encountered. Currently, the `fedora-repos` package has a single key file named after the version of the key and the arch the key is for. 
@@ -443,7 +471,7 @@ 

  

  === Koji

  

- Log into koji02.phx2.fedoraproject.org by way of bastion.fedoraproject.org.

+ Log into koji02.iad2.fedoraproject.org by way of bastion.fedoraproject.org.

  

  Verify that ``/etc/koji-gc/koji-gc.conf`` has the new key in it.

  

Pull-Request has been merged by kevin

6 months ago
Metadata