Difference between revisions of "Sigul Signing Server Setup"

From CDOT Wiki
Jump to: navigation, search
Line 12: Line 12:
  
 
* login as sigul:
 
* login as sigul:
    su -s /bin/bash sigul
+
  su -s /bin/bash sigul
  
 
* generate a new NSS database for the bridge at the location of the bridge_dir variable
 
* generate a new NSS database for the bridge at the location of the bridge_dir variable
    bridge_dir=/var/lib/sigul
+
  bridge_dir=/var/lib/sigul
    certutil -d $bridge_dir -N
+
  certutil -d $bridge_dir -N
    [Be sure to remember your NSS Password]
+
  [Be sure to remember your NSS Password]
  
 
2) Now generate the CA (Certificate Authority) certificate, to be used accross all sigul components
 
2) Now generate the CA (Certificate Authority) certificate, to be used accross all sigul components
 
* be sure to replace '''my-ca''' with whatever your desire your CA to be named, such as '''sigul-ca''' for example:
 
* be sure to replace '''my-ca''' with whatever your desire your CA to be named, such as '''sigul-ca''' for example:
    certutil -d $bridge_dir -S -n my-ca -s 'CN=My CA' -t CT,, -x -v 120   
+
  certutil -d $bridge_dir -S -n my-ca -s 'CN=My CA' -t CT,, -x -v 120   
  
 
3) Create a certificate for the bridge
 
3) Create a certificate for the bridge
 
* be sure to replace BRIDGE_HOSTNAME with the hostname of the machine it resides on:
 
* be sure to replace BRIDGE_HOSTNAME with the hostname of the machine it resides on:
    certutil -d $bridge_dir -S -n sigul-bridge-cert -s 'CN=BRIDGE_HOSTNAME' -c my-ca -t u,, -v 120
+
  certutil -d $bridge_dir -S -n sigul-bridge-cert -s 'CN=BRIDGE_HOSTNAME' -c my-ca -t u,, -v 120
  
 
4) Now it is time to configure the bridge, edit the config at ''/etc/sigul/bridge.conf'' * AS '''ROOT'''
 
4) Now it is time to configure the bridge, edit the config at ''/etc/sigul/bridge.conf'' * AS '''ROOT'''
 
* login as ROOT
 
* login as ROOT
 
* edit ''/etc/sigul/bridge.conf'':
 
* edit ''/etc/sigul/bridge.conf'':
    #/etc/sigul/bridge.conf
+
  #/etc/sigul/bridge.conf
 
    
 
    
    [bridge]
+
  [bridge]
    ...
+
  ...
    # You can leave most things at their default such as ports, or fas-account settings, if using FAS authentication.
+
  # You can leave most things at their default such as ports, or fas-account settings, if using FAS authentication.
    [daemon]
+
  [daemon]
    ...
+
  ...
    # The default configuration assumes you set up a separate "sigul" user and group;
+
  # The default configuration assumes you set up a separate "sigul" user and group;
    # remove the [daemon] section if you want the bridge to run as the invoking user.
+
  # remove the [daemon] section if you want the bridge to run as the invoking user.
    #  If you use a separate user and group issue:
+
  #  If you use a separate user and group issue:
    # chown sigul:sigul $bridge_dir/*.db
+
  # chown sigul:sigul $bridge_dir/*.db
    [nss]
+
  [nss]
    nss-password: yournsspass # This will save you having to type it each time you start the bridge
+
  nss-password: yournsspass # This will save you having to type it each time you start the bridge
    ...
+
  ...
  
 
5) After editing the config and setting up the certs, it is time for a test drive issue the following * AS '''ROOT''':
 
5) After editing the config and setting up the certs, it is time for a test drive issue the following * AS '''ROOT''':
 
* start the bridge in DEBUG mode, and all information will be logged in ''/var/log/sigul_bridge.log'':
 
* start the bridge in DEBUG mode, and all information will be logged in ''/var/log/sigul_bridge.log'':
    sigul_bridge -v -v
+
  sigul_bridge -v -v
 
* check the log file after starting sigul, if there are no errors you are good to go.
 
* check the log file after starting sigul, if there are no errors you are good to go.
 
** you should see the first log message in ''/var/log/sigul_bridge.log'':
 
** you should see the first log message in ''/var/log/sigul_bridge.log'':
    2011-11-24 16:41:42,214 DEBUG: Waiting for the client to connect
+
  2011-11-24 16:41:42,214 DEBUG: Waiting for the client to connect
 
* stop the sigul_bridge CRTL-C and start the service:
 
* stop the sigul_bridge CRTL-C and start the service:
    service sigul_bridge start
+
  systemctl start sigul_bridge
  
 
=Sigul Server Setup=
 
=Sigul Server Setup=
Line 62: Line 62:
  
 
Add bridge hostname to /etc/hosts:
 
Add bridge hostname to /etc/hosts:
    [IP address of the bridge] sigul-bridge-hostname
+
  [IP address of the bridge] sigul-bridge-hostname
  
 
1) Create the NSS database on the server, to hold the certificate information *AS user '''sigul''' issue the following
 
1) Create the NSS database on the server, to hold the certificate information *AS user '''sigul''' issue the following
 
* login as sigul:
 
* login as sigul:
    su -s /bin/bash sigul
+
  su -s /bin/bash sigul
  
 
* generate a new NSS database for the server at the location of the server_dir variable:
 
* generate a new NSS database for the server at the location of the server_dir variable:
    server_dir=/var/lib/sigul
+
  server_dir=/var/lib/sigul
    certutil -d $server_dir -N
+
  certutil -d $server_dir -N
    [Be sure to remember your NSS Password]
+
  [Be sure to remember your NSS Password]
  
 
2) Now import the CA (Certificate Authority) certificate, generated earlier on the bridge
 
2) Now import the CA (Certificate Authority) certificate, generated earlier on the bridge
 
      
 
      
 
* issue ON THE BRIDGE as user '''sigul''':
 
* issue ON THE BRIDGE as user '''sigul''':
    pk12util -d $bridge_dir -o myca-server.p12 -n my-ca
+
  pk12util -d $bridge_dir -o myca-server.p12 -n my-ca
  
 
* copy ''myca-server.p12'' over to the server and deleted from the bridge afterwards
 
* copy ''myca-server.p12'' over to the server and deleted from the bridge afterwards
  
 
* issue ON THE SERVER as user '''sigul''':
 
* issue ON THE SERVER as user '''sigul''':
    pk12util -d $server_dir -i myca-server.p12
+
  pk12util -d $server_dir -i myca-server.p12
    rm myca-server.p12
+
  rm myca-server.p12
    certutil -d $server_dir -M -n my-ca -t CT,, <-- be sure to change my-ca to your CA name
+
  certutil -d $server_dir -M -n my-ca -t CT,, <-- be sure to change my-ca to your CA name
 
* The sigul CA certs should now be imported
 
* The sigul CA certs should now be imported
  
 
* be sure to replace SERVER_HOSTNAME with the hostname of the machine it resides on:
 
* be sure to replace SERVER_HOSTNAME with the hostname of the machine it resides on:
    certutil -d $server_dir -S -n sigul-server-cert -s 'CN=SERVER_HOSTNAME' -c my-ca -t u,, -v 120
+
  certutil -d $server_dir -S -n sigul-server-cert -s 'CN=SERVER_HOSTNAME' -c my-ca -t u,, -v 120
  
 
3) Now it is time to configure the server, edit the config at ''/etc/sigul/server.conf'' * AS '''ROOT'''
 
3) Now it is time to configure the server, edit the config at ''/etc/sigul/server.conf'' * AS '''ROOT'''
 
* login as ROOT
 
* login as ROOT
 
* edit ''/etc/sigul/server.conf''
 
* edit ''/etc/sigul/server.conf''
    #/etc/sigul/server.conf
+
  #/etc/sigul/server.conf
 
      
 
      
    [nss]
+
  [nss]
    bridge-hostname: # Put bridge hostname here
+
  bridge-hostname: # Put bridge hostname here
    ...
+
  ...
    [daemon]
+
  [daemon]
    ...
+
  ...
    # The default configuration assumes you set up a separate "sigul" user and group;
+
  # The default configuration assumes you set up a separate "sigul" user and group;
    # remove the [daemon] section if you want the server to run as the invoking user.
+
  # remove the [daemon] section if you want the server to run as the invoking user.
  
 
4) Now to create the database for the server which will hold all user and key entries issue the following * AS '''ROOT'''
 
4) Now to create the database for the server which will hold all user and key entries issue the following * AS '''ROOT'''
    sigul_server_create_db
+
  sigul_server_create_db
  
 
5) Next Add the initial administrator * AS '''ROOT'''
 
5) Next Add the initial administrator * AS '''ROOT'''
    sigul_server_add_admin
+
  sigul_server_add_admin
  
 
6) After all is configured, it's time for a test drive * AS '''ROOT''':
 
6) After all is configured, it's time for a test drive * AS '''ROOT''':
 
* start the server in DEBUG mode, and all information will be logged in ''/var/log/sigul_server'':
 
* start the server in DEBUG mode, and all information will be logged in ''/var/log/sigul_server'':
    sigul_server -v -v
+
  sigul_server -v -v
 
      
 
      
 
* check the log file after starting sigul, if there are no errors you are good to go.
 
* check the log file after starting sigul, if there are no errors you are good to go.
 
* you should see the first log message in /var/log/sigul_server.log:
 
* you should see the first log message in /var/log/sigul_server.log:
    2011-11-24 16:36:42,154 DEBUG: Waiting for a request
+
  2011-11-24 16:36:42,154 DEBUG: Waiting for a request
 
      
 
      
 
* stop the sigul_server CRTL-C and start the service:
 
* stop the sigul_server CRTL-C and start the service:
    service sigul_server start
+
  systemctl start sigul_server
  
 
=Sigul Client Setup=
 
=Sigul Client Setup=
Line 124: Line 124:
  
 
Add hostnames to /etc/hosts:
 
Add hostnames to /etc/hosts:
    [IP address of the bridge] sigul-bridge-hostname
+
  [IP address of the bridge] sigul-bridge-hostname
    [IP address of the server] sigul-server-hostname
+
  [IP address of the server] sigul-server-hostname
  
 
To begin setup, we have to follow a similar process to the bridge with NSS, except that we will import the CA cert generated on the bridge, not generate a new one.
 
To begin setup, we have to follow a similar process to the bridge with NSS, except that we will import the CA cert generated on the bridge, not generate a new one.
Line 132: Line 132:
  
 
* generate a new NSS database for the server at the location of the client_dir variable
 
* generate a new NSS database for the server at the location of the client_dir variable
    client_dir=~/.sigul
+
  client_dir=~/.sigul
    certutil -d $client_dir -N
+
  certutil -d $client_dir -N
    [Be sure to remember your NSS Password]
+
  [Be sure to remember your NSS Password]
  
 
2) Now import the CA (Certificate Authority) certificate, generated earlier on the bridge
 
2) Now import the CA (Certificate Authority) certificate, generated earlier on the bridge
 
      
 
      
 
* issue ON THE BRIDGE as user '''sigul'''
 
* issue ON THE BRIDGE as user '''sigul'''
    pk12util -d $bridge_dir -o myca-client.p12 -n my-ca
+
  pk12util -d $bridge_dir -o myca-client.p12 -n my-ca
  
 
* copy ''myca-client.p12'' over to the client and deleted from the bridge afterwards
 
* copy ''myca-client.p12'' over to the client and deleted from the bridge afterwards
  
 
* issue ON THE CLIENT as your own user
 
* issue ON THE CLIENT as your own user
    pk12util -d $client_dir -i myca-client.p12
+
  pk12util -d $client_dir -i myca-client.p12
    rm myca.p12
+
  rm myca.p12
    certutil -d $client_dir -M -n my-ca -t CT,, <-- be sure to change my-ca to your CA name
+
  certutil -d $client_dir -M -n my-ca -t CT,, <-- be sure to change my-ca to your CA name
  
 
3) Next we have to generate the authentication certificate for the client
 
3) Next we have to generate the authentication certificate for the client
 
* be sure to replace YOURUSERNAME with the user you are using on the client system
 
* be sure to replace YOURUSERNAME with the user you are using on the client system
 
* OR set 'CN=YOUR FAS NAME' if using FAS authentication
 
* OR set 'CN=YOUR FAS NAME' if using FAS authentication
    certutil -d $client_dir -S -n sigul-client-cert -s 'CN=YOURUSERNAME' -c my-ca -t u,, -v 120
+
  certutil -d $client_dir -S -n sigul-client-cert -s 'CN=YOURUSERNAME' -c my-ca -t u,, -v 120
  
 
4) Now it is time to configure the client, edit the config at /etc/sigul/client.conf * AS '''ROOT'''
 
4) Now it is time to configure the client, edit the config at /etc/sigul/client.conf * AS '''ROOT'''
 
* login as ROOT
 
* login as ROOT
 
* edit ''/etc/sigul/client.conf''
 
* edit ''/etc/sigul/client.conf''
    # /etc/sigul/client.conf
+
  # /etc/sigul/client.conf
 
    
 
    
    [client]
+
  [client]
    bridge-hostname: # Put bridge hostname here
+
  bridge-hostname: # Put bridge hostname here
    ...
+
  ...
    server-hostname: # Put server hostname here
+
  server-hostname: # Put server hostname here
    ...
+
  ...
    user-name: # Put administrator login name if it is different from your UNIX user
+
  user-name: # Put administrator login name if it is different from your UNIX user
    ...
+
  ...
  
 
* if you wish to avoid entering an NSS password upon issuing each command, create/edit ''~/.sigul/client.conf'' and add the following lines:
 
* if you wish to avoid entering an NSS password upon issuing each command, create/edit ''~/.sigul/client.conf'' and add the following lines:
    [nss]
+
  [nss]
    nss-password: Your NSS PASS
+
  nss-password: Your NSS PASS
  
 
5) After configuring your client, issue a test client command in DEBUG mode as follows:
 
5) After configuring your client, issue a test client command in DEBUG mode as follows:
    sigul -v -v list-users
+
  sigul -v -v list-users
 
* This should return a list of users on the server, at this point it should only really display the one admin user created before
 
* This should return a list of users on the server, at this point it should only really display the one admin user created before
  
 
* Help on more commands:
 
* Help on more commands:
    sigul --help-commands
+
  sigul --help-commands
  
 
6) Create an initial key once you are able to issue commands to sigul, issue the following:
 
6) Create an initial key once you are able to issue commands to sigul, issue the following:
    sigul new-key -h
+
  sigul new-key -h
 
* this will output the options that can be used with the key creation, use the ones you want, and generate the key.
 
* this will output the options that can be used with the key creation, use the ones you want, and generate the key.
 
* please note when generating the key, it requires alot of Entropy on the server, so issue some commands to keep server busy and help it generate faster, usually a simple find / will generate enough for it to take about 2 minutes to generate the key.
 
* please note when generating the key, it requires alot of Entropy on the server, so issue some commands to keep server busy and help it generate faster, usually a simple find / will generate enough for it to take about 2 minutes to generate the key.
Line 187: Line 187:
  
 
1) As ROOT on the sigul bridge, edit /etc/sigul/bridge.conf edit the koji section as follows:
 
1) As ROOT on the sigul bridge, edit /etc/sigul/bridge.conf edit the koji section as follows:
    [koji]
+
  [koji]
      koji-config: /path/to/koji/config/file  <-- The config file should be that of koji web
+
  koji-config: /path/to/koji/config/file  <-- The config file should be that of koji web
  
 
2) The koji configuration file and certs can reside under any directory that sigul has atleast read privileges on. The kojiweb certificates that allow kojiweb to authenticate with koji must be copied to this directory, along with the config file which points to the koji instance, as well as the kojiweb certs needed for it to authenticate.
 
2) The koji configuration file and certs can reside under any directory that sigul has atleast read privileges on. The kojiweb certificates that allow kojiweb to authenticate with koji must be copied to this directory, along with the config file which points to the koji instance, as well as the kojiweb certs needed for it to authenticate.
Line 195: Line 195:
  
 
4) To test issue the following on the client, to download and RPM from koji - sign it - and store it locally - Just as a test for koji connectivity and authentication:
 
4) To test issue the following on the client, to download and RPM from koji - sign it - and store it locally - Just as a test for koji connectivity and authentication:
    sigul sign-rpm -o signed.rpm key_name unsigned.rpm    <-- key_name should be the name of the sigul key you setup previously.
+
  sigul sign-rpm -o signed.rpm key_name unsigned.rpm    <-- key_name should be the name of the sigul key you setup previously.
    - If the above is successful, you will have an rpm named signed.rpm in the directory you are working in.
+
  - If the above is successful, you will have an rpm named signed.rpm in the directory you are working in.
  
 
=Sigul Client Config Script=
 
=Sigul Client Config Script=

Revision as of 12:59, 14 May 2015

Sigul Overview

Sigul is a package signing server, which aids in signing RPM's either multiple, or single files. All keys reside solely on the sigul server, no user has access to any of the private or public keys. All communication with the server is done through the sigul bridge, it acts as the gateway between the client, and server. This isolates the server, preventing any unwanted access from outside sources other than the bridge. The sigul client once configured allows users to sign rpm's with keys created on the sigul server, by sending commands first to the bridge, which then relays to the server.

Sigul Bridge Setup

What the bridge does: The bridge acts as the central gateway for sigul. The bridge is the only component which speaks to the server, if you are issuing any server bound commands from the client, your actually sending them to the bridge which in turn fires them off to the server, recieves the reply, and sends that back to the client. The bridge also functions as the gateway for Koji, when signing packages from a koji instance, the bridge speaks to the kojihub with authentication by way of a Proxy user, such as Kojiweb. We will be getting into the koji side of things a bit more later in this doc.

To begin setup, we have generate the certs which will be used for all sigul systems to authenticate between eachother. The bridge will be used as the CA for internal sigul communications.

1) Create an NSS database on the bridge, to hold the certificate information *AS user sigul issue the following

  • login as sigul:
 su -s /bin/bash sigul
  • generate a new NSS database for the bridge at the location of the bridge_dir variable
 bridge_dir=/var/lib/sigul
 certutil -d $bridge_dir -N
 [Be sure to remember your NSS Password]

2) Now generate the CA (Certificate Authority) certificate, to be used accross all sigul components

  • be sure to replace my-ca with whatever your desire your CA to be named, such as sigul-ca for example:
 certutil -d $bridge_dir -S -n my-ca -s 'CN=My CA' -t CT,, -x -v 120  

3) Create a certificate for the bridge

  • be sure to replace BRIDGE_HOSTNAME with the hostname of the machine it resides on:
 certutil -d $bridge_dir -S -n sigul-bridge-cert -s 'CN=BRIDGE_HOSTNAME' -c my-ca -t u,, -v 120

4) Now it is time to configure the bridge, edit the config at /etc/sigul/bridge.conf * AS ROOT

  • login as ROOT
  • edit /etc/sigul/bridge.conf:
 #/etc/sigul/bridge.conf
 
 [bridge]
 ...
 # You can leave most things at their default such as ports, or fas-account settings, if using FAS authentication.
 [daemon]
 ...
 # The default configuration assumes you set up a separate "sigul" user and group;
 # remove the [daemon] section if you want the bridge to run as the invoking user.
 #  If you use a separate user and group issue:
 # chown sigul:sigul $bridge_dir/*.db
 [nss]
 nss-password: yournsspass # This will save you having to type it each time you start the bridge
 ...

5) After editing the config and setting up the certs, it is time for a test drive issue the following * AS ROOT:

  • start the bridge in DEBUG mode, and all information will be logged in /var/log/sigul_bridge.log:
 sigul_bridge -v -v
  • check the log file after starting sigul, if there are no errors you are good to go.
    • you should see the first log message in /var/log/sigul_bridge.log:
 2011-11-24 16:41:42,214 DEBUG: Waiting for the client to connect
  • stop the sigul_bridge CRTL-C and start the service:
 systemctl start sigul_bridge

Sigul Server Setup

What the server does: The server is completley cutoff from the rest of the world, It should be firewalled off except for incoming ports from the bridge, and should only be able to speak to the bridge, for max security, ensure it has no external access from other machines or even the web. It hold's all of the key files used for signing the RPMS, so no other users will have access to the key files, the server is the only system that knows the keys.

To begin setup, we have to follow a similar process to the bridge with NSS, except that we will import the CA cert generated on the bridge, not generate a new one.

Add bridge hostname to /etc/hosts:

 [IP address of the bridge] sigul-bridge-hostname

1) Create the NSS database on the server, to hold the certificate information *AS user sigul issue the following

  • login as sigul:
 su -s /bin/bash sigul
  • generate a new NSS database for the server at the location of the server_dir variable:
 server_dir=/var/lib/sigul
 certutil -d $server_dir -N
 [Be sure to remember your NSS Password]

2) Now import the CA (Certificate Authority) certificate, generated earlier on the bridge

  • issue ON THE BRIDGE as user sigul:
 pk12util -d $bridge_dir -o myca-server.p12 -n my-ca
  • copy myca-server.p12 over to the server and deleted from the bridge afterwards
  • issue ON THE SERVER as user sigul:
 pk12util -d $server_dir -i myca-server.p12
 rm myca-server.p12
 certutil -d $server_dir -M -n my-ca -t CT,, <-- be sure to change my-ca to your CA name
  • The sigul CA certs should now be imported
  • be sure to replace SERVER_HOSTNAME with the hostname of the machine it resides on:
 certutil -d $server_dir -S -n sigul-server-cert -s 'CN=SERVER_HOSTNAME' -c my-ca -t u,, -v 120

3) Now it is time to configure the server, edit the config at /etc/sigul/server.conf * AS ROOT

  • login as ROOT
  • edit /etc/sigul/server.conf
 #/etc/sigul/server.conf
    
 [nss]
 bridge-hostname: # Put bridge hostname here
 ...
 [daemon]
 ...
 # The default configuration assumes you set up a separate "sigul" user and group;
 # remove the [daemon] section if you want the server to run as the invoking user.

4) Now to create the database for the server which will hold all user and key entries issue the following * AS ROOT

 sigul_server_create_db

5) Next Add the initial administrator * AS ROOT

 sigul_server_add_admin

6) After all is configured, it's time for a test drive * AS ROOT:

  • start the server in DEBUG mode, and all information will be logged in /var/log/sigul_server:
 sigul_server -v -v
   
  • check the log file after starting sigul, if there are no errors you are good to go.
  • you should see the first log message in /var/log/sigul_server.log:
 2011-11-24 16:36:42,154 DEBUG: Waiting for a request
   
  • stop the sigul_server CRTL-C and start the service:
 systemctl start sigul_server

Sigul Client Setup

What the client does: The client is simply that, a client, it has certs necessary for it to be authenticated with the sigul bridge to issue commands as the sigul admin, to the server. All client commands are sent to bridge which in turn talks to either koji or the server depending on what the clients request is.

Add hostnames to /etc/hosts:

 [IP address of the bridge] sigul-bridge-hostname
 [IP address of the server] sigul-server-hostname

To begin setup, we have to follow a similar process to the bridge with NSS, except that we will import the CA cert generated on the bridge, not generate a new one.

1) Create the NSS database on the client, to hold the certificate information issue the following

  • generate a new NSS database for the server at the location of the client_dir variable
 client_dir=~/.sigul
 certutil -d $client_dir -N
 [Be sure to remember your NSS Password]

2) Now import the CA (Certificate Authority) certificate, generated earlier on the bridge

  • issue ON THE BRIDGE as user sigul
 pk12util -d $bridge_dir -o myca-client.p12 -n my-ca
  • copy myca-client.p12 over to the client and deleted from the bridge afterwards
  • issue ON THE CLIENT as your own user
 pk12util -d $client_dir -i myca-client.p12
 rm myca.p12
 certutil -d $client_dir -M -n my-ca -t CT,, <-- be sure to change my-ca to your CA name

3) Next we have to generate the authentication certificate for the client

  • be sure to replace YOURUSERNAME with the user you are using on the client system
  • OR set 'CN=YOUR FAS NAME' if using FAS authentication
 certutil -d $client_dir -S -n sigul-client-cert -s 'CN=YOURUSERNAME' -c my-ca -t u,, -v 120

4) Now it is time to configure the client, edit the config at /etc/sigul/client.conf * AS ROOT

  • login as ROOT
  • edit /etc/sigul/client.conf
 # /etc/sigul/client.conf
  
 [client]
 bridge-hostname: # Put bridge hostname here
 ...
 server-hostname: # Put server hostname here
 ...
 user-name: # Put administrator login name if it is different from your UNIX user
 ...
  • if you wish to avoid entering an NSS password upon issuing each command, create/edit ~/.sigul/client.conf and add the following lines:
 [nss]
 nss-password: Your NSS PASS

5) After configuring your client, issue a test client command in DEBUG mode as follows:

 sigul -v -v list-users
  • This should return a list of users on the server, at this point it should only really display the one admin user created before
  • Help on more commands:
 sigul --help-commands

6) Create an initial key once you are able to issue commands to sigul, issue the following:

 sigul new-key -h
  • this will output the options that can be used with the key creation, use the ones you want, and generate the key.
  • please note when generating the key, it requires alot of Entropy on the server, so issue some commands to keep server busy and help it generate faster, usually a simple find / will generate enough for it to take about 2 minutes to generate the key.

Sigul with koji Setup

How it works with koji: Sigul can be used with koji to sign multiple packages in a koji instance. Provided you have your client user already configured with Koji, it's a simple matter of configuring the proxy user on sigul_bridge. When a client issues a sign command for a koji instance, the bridge is what actually queries koji on behalf of the client user, and grabs the rpm's to be signed from sigul by way of the kojiweb user. The only thing you must ensure is that your koji client user as admin privileges on the koji server, and the bridge takes care if the rest.

1) As ROOT on the sigul bridge, edit /etc/sigul/bridge.conf edit the koji section as follows:

  [koji]
  koji-config: /path/to/koji/config/file  <-- The config file should be that of koji web

2) The koji configuration file and certs can reside under any directory that sigul has atleast read privileges on. The kojiweb certificates that allow kojiweb to authenticate with koji must be copied to this directory, along with the config file which points to the koji instance, as well as the kojiweb certs needed for it to authenticate.

3) After doing the above restart the bridge, and you should now be able to pull packages from koji and sign them.

4) To test issue the following on the client, to download and RPM from koji - sign it - and store it locally - Just as a test for koji connectivity and authentication:

 sigul sign-rpm -o signed.rpm key_name unsigned.rpm    <-- key_name should be the name of the sigul key you setup previously.
 - If the above is successful, you will have an rpm named signed.rpm in the directory you are working in.

Sigul Client Config Script

The following is an optional script, which can be used to aide in the quick setup of sigul clients, when not using FAS Authentication:

 * Note that the user must first have an account created on the sigul server, this script is solely to setup the client side certificates
#!/bin/bash
#Variables### And initial setup#######
mkdir ~/.sigul
client_dir=~/.sigul
user=$(whoami)  
####################
echo
############################Begin Certificate imports
echo "======================="
echo "Setting up NSS Database"
echo "======================="
certutil -d $client_dir -N
echo
echo "==================="
echo "Downloading CA Cert"
echo "==================="
wget http://someurl.com/sigul/sigulca.p12 <-- Substitute with a path or url of your exported .p12
echo
echo "=================="
echo "Importing CA certs"
echo "=================="
pk12util -d $client_dir -i sigulca.p12
certutil -d $client_dir -M -n sigul-ca -t CT,,
echo
echo "======================"
echo "Generating Client cert"
echo "======================"
certutil -d $client_dir -S -n sigul-client-cert -s "CN=$user" -c sigul-ca -t u,, -v 120
echo
echo "======================"
#########End certificate imports########
########################################
#########NSS password Saver#############
read -p "Would you like to save your nss pass to ~/.sigul/client.conf [y/n]: " nsspasssel
#########User Input conditional#########
if [ $nsspasssel == "y" -o $nsspasssel == "Y" ]; then
echo "Enter your NSS password One more time: "
read -s nsspass
echo "[nss]" > ~/.sigul/client.conf
echo "nss-password: $nsspass" >> ~/.sigul/client.conf
echo
echo "==========="
echo "Cleaning up"
echo "==========="
rm sigulca.p12
else
echo
echo "==========="
echo "Cleaning up"
echo "==========="
rm sigulca.p12
fi
#########################################\
  • If you plan to use FAS Authentication, run sigul_setup_client as the user you wish to setup.