Discussion:
Package signing on soyuz
(too old to reply)
Jerome Leclanche
2017-01-17 07:42:55 UTC
Permalink
Raw Message
What is the current intended way to sign packages on the pkgbuild.com server?

I spent the past day setting up agent forwarding
(https://wiki.gnupg.org/AgentForwarding) for it. Had a lot of trouble
setting it up due to systemd being seemingly overzealous about the
gpg-agent socket. I have it working now, for myself, but wondering if
anyone else is using it or if everybody is just signing locally.

J. Leclanche
Jelle van der Waa
2017-01-17 08:28:23 UTC
Permalink
Raw Message
Post by Jerome Leclanche
What is the current intended way to sign packages on the pkgbuild.com server?
I spent the past day setting up agent forwarding
(https://wiki.gnupg.org/AgentForwarding) for it. Had a lot of trouble
setting it up due to systemd being seemingly overzealous about the
gpg-agent socket. I have it working now, for myself, but wondering if
anyone else is using it or if everybody is just signing locally.
When I use pkgbuild.com (my hardware at home is beefy enough for
building most of my packages). I just scp the *.xz's back to my local
machine and call communitypkg.
--
Jelle van der Waa
Lukas Jirkovsky via arch-general
2017-01-18 19:21:29 UTC
Permalink
Raw Message
Post by Jerome Leclanche
What is the current intended way to sign packages on the pkgbuild.com server?
I don't think there's any.
Post by Jerome Leclanche
I spent the past day setting up agent forwarding
(https://wiki.gnupg.org/AgentForwarding) for it. Had a lot of trouble
setting it up due to systemd being seemingly overzealous about the
gpg-agent socket. I have it working now, for myself, but wondering if
anyone else is using it or if everybody is just signing locally.
J. Leclanche
I use only the ssh agent forwarding ("ForwardAgent yes" in
.ssh/config). On pkgbuild.com I build packages using the *-*-build as
always. When a package is built, I use a script [1] that downloads the
binary packages, signs them and uploads the signatures back to
pkgbuild.com. That way I can use communitypkg on pkgbuild.com to
upload everything.

[1] https://bitbucket.org/stativ/scripts/src/tip/shell/download-and-sign.sh?at=default&fileviewer=file-view-default

Lukas
Jan Alexander Steffens via arch-general
2017-01-18 22:51:50 UTC
Permalink
Raw Message
On Wed, Jan 18, 2017 at 8:21 PM Lukas Jirkovsky via arch-general <
Post by Lukas Jirkovsky via arch-general
I use only the ssh agent forwarding ("ForwardAgent yes" in
.ssh/config). On pkgbuild.com I build packages using the *-*-build as
always. When a package is built, I use a script [1] that downloads the
binary packages, signs them and uploads the signatures back to
pkgbuild.com. That way I can use communitypkg on pkgbuild.com to
upload everything.
I've got something very similar, except:

I only check out the trunks on soyuz. I change the PKGBUILD, build and
commit there.

A local script then runs archco, rsyncs the packages from soyuz to local,
rsyncs the packages from soyuz to orion, then locally runs commitpkg to
sign and release the packages.
Jerome Leclanche
2017-01-19 00:31:02 UTC
Permalink
Raw Message
So my current workflow allows doing everything on soyuz. I tried it
out for a couple of packages, it works well and FWICT it's secure.
Writeup on the setup below as requested on IRC the other day.

----

Local prerequisites:

- Extra socket must be enabled. In arch, that seems to be the case by
default. While doing this I discovered that systemd can manage
gpg-agent at the user level. To enable that: `systemctl --user enable
gpg-agent-extra.socket`. If you're managing this with systemctl, you
will also want to do `systemctl --user enable gpg-agent.socket` and
probably dirmngr.service as well.

When managed with systemd, these sockets will show up in
$XDG_RUNTIME_DIR/gnupg. If you have a custom $GNUPGHOME (eg. to move
it to ~/.config/gnupg), you'll need to unset that, as it is not
possible in gnupg to set the homedir without setting the socketdir.
Annoying. You can check the directories with `gpgconf --list-dir` (or
`gpgconf --list-dir socketdir specifically).

You definitely want the -extra socket. The regular one supports
exporting the private key (you definitely don't want that on the
remote). The -ssh one is for ssh-agent emulation, something different.

In .ssh/config, you want to add the following line to Host pkgbuild.com:

RemoteForward /run/user/1xxx/gnupg/S.gpg-agent
/run/user/1xxx/gnupg/S.gpg-agent.extra

The first path is the path *on the remote* (soyuz). The second is the
path on the client machine. You are forwarding your .extra socket to
be the gpg-agent socket. Replace the uid/path by the appropriate value
of $XDG_RUNTIME_DIR on the respective machines. Specifically, by the
value of $(gpgconf --list-dir agent-extra-socket) on the local and
$(gpgconf --list-dir agent-socket) on the remote.

Finally, as gpg-agent is currently enabled by default for users on
soyuz, it needs to be disabled. Disabling isn't even enough, as
forwarding the socket seems to be interpreted by systemd as "I want
this socket", which in turn triggers gpg-agent.
I'm still a little confused about this, but masking gpg-agent does the
trick: `systemctl --user mask gpg-agent.service`. This devnulls the
service file for your user.

Bluewind has already kindly taken care of adding
`StreamLocalBindUnlink yes` to the sshd_config, therefore removing the
sockets manually on logout is not necessary.

You should also make sure that you are not using pinentry-curses in
your gpg-agent.conf. That, afaik, won't work over ssh but I didn't
test it.

J. Leclanche


On Thu, Jan 19, 2017 at 12:51 AM, Jan Alexander Steffens via
Post by Jan Alexander Steffens via arch-general
On Wed, Jan 18, 2017 at 8:21 PM Lukas Jirkovsky via arch-general <
Post by Lukas Jirkovsky via arch-general
I use only the ssh agent forwarding ("ForwardAgent yes" in
.ssh/config). On pkgbuild.com I build packages using the *-*-build as
always. When a package is built, I use a script [1] that downloads the
binary packages, signs them and uploads the signatures back to
pkgbuild.com. That way I can use communitypkg on pkgbuild.com to
upload everything.
I only check out the trunks on soyuz. I change the PKGBUILD, build and
commit there.
A local script then runs archco, rsyncs the packages from soyuz to local,
rsyncs the packages from soyuz to orion, then locally runs commitpkg to
sign and release the packages.
Loading...