From Fedora Project Wiki

(→‎Prerequisites: mention CA certificate)
Line 8: Line 8:
# yum install sigul  
# yum install sigul  
</pre></li>
</pre></li>
<li>Ensure that your koji certificates are present on the system that you're running the sigul client from.  
<li>Ensure that your koji certificate and the Fedora CA certificate are present on the system that you're running the sigul client from at the following locations:
* <code>~/.fedora.cert</code>
* <code>~/.fedora-server-ca.cert</code>
<li>admin privileges on koji are required to write signatures.  
<li>admin privileges on koji are required to write signatures.  
<li>If you are running RHEL 6, add 'export NSS_HASH_ALG_SUPPORT=+MD5' to your ~/.bashrc.</li>
<li>If you are running RHEL 6, add 'export NSS_HASH_ALG_SUPPORT=+MD5' to your ~/.bashrc.</li>

Revision as of 14:28, 30 May 2014

This document describes how to configure a sigul client. For more information on sigul, please see User:Mitr.

Prerequisites

  • Install sigul and its dependencies. It is available in both Fedora and EPEL:
    # yum install sigul 
    
  • Ensure that your koji certificate and the Fedora CA certificate are present on the system that you're running the sigul client from at the following locations:
    • ~/.fedora.cert
    • ~/.fedora-server-ca.cert
  • admin privileges on koji are required to write signatures.
  • If you are running RHEL 6, add 'export NSS_HASH_ALG_SUPPORT=+MD5' to your ~/.bashrc.

Configuration

  1. Run sigul_setup_client
  2. Choose a password for your NSS database. By default this will be stored on-disk in ~/.sigul/client.conf.
  3. Choose an export password. You will only need to remember it until finishing sigul_setup_client.
  4. Enter the DB password you chose earlier, then the export password. You should see the message "pk12util: PKCS12 IMPORT SUCCESSFUL"
  5. Enter the DB password again. You should see the message "Done".
  6. Assuming that you are running the sigul client within phx2, edit ~/.sigul/client.conf to include the following lines:
    [client]
    bridge-hostname: sign-bridge1
    server-hostname: sign-vault1
    

Configuration for Secondary Architectures

All steps remain the same, however you will need admin privileges on your secondary koji instance (not primary's). When editing ~/sigul/client.conf, use:

[client]
bridge-hostname: secondary-signer
server-hostname: secondary-signer-server

Updating your Fedora certificate

When your Fedora certificate expires, after updating it run the following commands:

$ certutil -d ~/.sigul -D -n sigul-client-cert
$ NSS_HASH_ALG_SUPPORT=+md5 sigul_setup_client