[Rpm-maint] [rpm-software-management/rpm] RFE: automatically sign packages on build (Issue #2678)

Panu Matilainen notifications at github.com
Mon Nov 25 11:45:35 UTC 2024


Yup, "industry grade" secure signing is a whole different ballgame. This feature is aimed towards the shallow end of the pool - casual local builders, and driving wholly unsigned packages to extinction in that space. One should keep in mind that the driving force for this change is enabling the enforcing signature check mode by default in rpm: how to keep local builds convenient in that setup without pushing users to --nosignature on everything.

What follows is more or less a braindump of what I've been thinking about, if it seems half mad, I have the excuse of poor nights sleep :sweat_smile:  Thoughts and comments very welcome, this is all very much subject to change:

- rpmbuild always signs the packages it builds (unless explicitly disabled by config/cli switch)
- if a pre-existing key is configured it will use that
- if no key is configured for signing
  - rpm will create one for you automatically
  - a passwordless sign-only key with *something like* `rpmbuild-${USER}@${HOSTNAME}` as the userid/email
  - configure this as the signing key for future builds
  - export the ascii-armored pubkey to a suitable location in home, with a message explaining how to import it to rpm

Of course the "casual local builder" is a somewhat extinct use-case to begin with, mock and such replacing most of the direct rpmbuild uses. The copr/koji/obs etc all manage their own signing, so mock (and similar other tools) are perhaps the bigger question mark in this.

The above logic would presumably create a key per each mock buildroot, I don't know that's sensible. Mock has its own signing plugin too, but you need to specifically configure and enable it. But, it'll merrily use rpm's configured signing key if told to, so one can use the one on the "host" for that. So maybe, the key generation should only occur on interactive (think isatty()) builds. Automated build + install cycles will need *some* updating anyhow: either they need to import keys, or use --nosignature for installing. Mock configs could default to enable signing plugin by default on rpm >= 6.0 distros.

With all that said, I find myself wondering whether the rpmbuild-level automation is worth it at all. Could we instead maybe ship a helper script that sets it up for you, including creating a key if needed and including mock autosign config if mock is present?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2678#issuecomment-2497787688
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/2678/2497787688 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20241125/8af16120/attachment-0001.htm>


More information about the Rpm-maint mailing list