Package Signing on Local OBS

I noticed that after I had everything up and running for my local OBS server that I didn't seem to have any package signing.  After a little searching on the system and the opensuse buildservice mailing list I pieced together enough information to get it working.  Hopefully this helps you out as well.

The first thing you need to do is make sure that the obssignd package was installed (it probably was if you used the develpment packages) and add it as a service:

# insserv obssignd

Note: There is an issue with signd start at boot (https://bugzilla.novell.com/show_bug.cgi?id=475616) and the quick fix is to add the following to /etc/init.d/obssignd

export HOME=/root

The next thing you will likely have to do is install/upgrade to a version of gpg that has the 'files_are_digests' patch.  Because I was running SLES10SP2 on my local obs server I upgraded using the gpg package in the home:keutterling repository.

Once you have a version of gpg with the 'files_are_digests' patch installed you are ready to start configuring.

First you will need to make the build server aware that you are wanting to sign packages but uncommenting the following line in /usr/lib/obs/server/BSConfig.pm

our $sign = '/usr/bin/sign'

Next we need to configure the sign/signd files for use.  First you need to edit /etc/sign.conf.  Now, depending on what level of 'security' you need for you gpg key you may have a different setup.  If you just want to get it working you can edit the following:

user: yourname@yourdomain.com
allow: 127.0.0.1
phrases: /root/.phrases

The user is going to be the uid of the gpg key you either a) need to create or b) have already created

Next you need to make the /root/.phrases directory

# mkdir /root.phrases

And then enter in your gpg passphrase into a file that has the uid you gave in the /etc/sign.conf.  For example:

# echo yourpassphrase > /root/.phrases/yourname@yourdomain.com

Next you need to either a) create a /root/.gnupg/options file or b) edit your existing file to include the line force-v3-sigs.  For example:

# echo force-v3-sigs > /root/.gnupg/options

Note: if you do not have a gpg key and need to create one (and aren't that concerned about 'security') just make sure you have the force-v3-sigs option listed in the step above and then run

# gpg --gen-key

Answer the questions you are asked and make sure you use the same email address you gave in /etc/sign.conf

Now it is time to test.  Run the following to make sure that everything is working

# rcobssignd start
# cd /some/dir/with/an/rpm
# sign somepackageyouwanttotest.rpm

If you don't get any error messages you are all set to let the OBS to start signing packages it creates.  Restart the OBS services (or reboot) and rebuild a package.  If you check the /srv/obs/logs you should see that the package was signed successfully.

Hope that helps

Leave a Reply