Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sign-rpms: remove GPG_PASSPHRASE #2126

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

ktdreyer
Copy link
Member

@ktdreyer ktdreyer commented Apr 7, 2023

We don't need this argument, and I'm not sure it ever worked.

I entered the passphrase (Nitrokey PIN) into gpg-agent prior to running this script, and that seems sufficient.

We don't need this argument, and I'm not sure it ever worked.

I entered the passphrase (Nitrokey PIN) into gpg-agent prior to running
this script, and that seems sufficient.
@ktdreyer ktdreyer requested review from zmc and dmick April 7, 2023 15:51
@ktdreyer
Copy link
Member Author

ktdreyer commented Apr 7, 2023

Well, maybe this needs more experimentation. I thought the workflow was:

  1. David boots the VM
  2. David runs a command to unlock gpg-agent once (echo hi | gpg --clearsign -u [email protected] would bring up the pinentry prompt)
  3. Someone does a release, using the already-unlocked gpg-agent

I've never tested --passphrase with a hardware signing device before. And the question of "how widely do we share the PIN" (assuming the PIN is the passphrase?)...

@dmick
Copy link
Member

dmick commented Jul 26, 2023

@ktdreyer what do you think is the right path forward with this?

@ktdreyer
Copy link
Member Author

Recording the notes from our discussion today here, the path forward would be:

  1. Document the correct / expected way to activate gpg-agent (someone has to enter the PIN, minimally after every boot. We should not share that PIN widely.)
  2. Instead of this giant echo yes | ... command, we should experiment with a more modern way to sign RPMs with this hardware signer. I think we can simply run rpmsign --define "_gpg_name [email protected]" --addsign *.rpm as documented in Koji's docs
  3. Merge add RPM signing support merfi#65, so we have the implementation in unit-testable Python, and we don't have to maintain this script any more

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants