ceph-build icon indicating copy to clipboard operation
ceph-build copied to clipboard
verified publisher icon ceph

sign-rpms: remove GPG_PASSPHRASE

Open ktdreyer opened this issue 3 years ago • 3 comments

We don't need this argument, and I'm not sure it ever worked.

I entered the passphrase (Nitrokey PIN) into gpg-agent prior to running this script, and that seems sufficient.

ktdreyer avatar Apr 07 '23 15:04 ktdreyer

Well, maybe this needs more experimentation. I thought the workflow was:

  1. David boots the VM
  2. David runs a command to unlock gpg-agent once (echo hi | gpg --clearsign -u [email protected] would bring up the pinentry prompt)
  3. Someone does a release, using the already-unlocked gpg-agent

I've never tested --passphrase with a hardware signing device before. And the question of "how widely do we share the PIN" (assuming the PIN is the passphrase?)...

ktdreyer avatar Apr 07 '23 17:04 ktdreyer

@ktdreyer what do you think is the right path forward with this?

dmick avatar Jul 26 '23 22:07 dmick

Recording the notes from our discussion today here, the path forward would be:

  1. Document the correct / expected way to activate gpg-agent (someone has to enter the PIN, minimally after every boot. We should not share that PIN widely.)
  2. Instead of this giant echo yes | ... command, we should experiment with a more modern way to sign RPMs with this hardware signer. I think we can simply run rpmsign --define "_gpg_name [email protected]" --addsign *.rpm as documented in Koji's docs
  3. Merge https://github.com/ceph/merfi/pull/65, so we have the implementation in unit-testable Python, and we don't have to maintain this script any more

ktdreyer avatar Aug 24 '23 01:08 ktdreyer