From Fedora Project Wiki


signing notes

$ sigul --help-commands
delete-key          Delete a key
modify-key-user     Modify user's key access
list-users          List users
grant-key-access    Grant key access to a user
sign-text           Output a cleartext signature of a text
import-key          Import a key
new-user            Add a user
sign-rpm            Sign a RPM
list-keys           List keys
sign-data           Create a detached signature
revoke-key-access   Revoke key acess from a user
user-info           Show information about a user
change-passphrase   Change key passphrase
list-key-users      List users that can access a key
new-key             Add a key
modify-user         Modify a user
sign-rpms           Sign one or more RPMs
modify-key          Modify a key
delete-user         Delete a user
key-user-info       Show information about user's key access
get-public-key      Output public part of the key


  • Adding passphrase to signing key.
NSS_HASH_ALG_SUPPORT=+MD5 sigul --verbose --user-name=parasense change-passphrase epel-7


  • Inspecting the NSS database with certutil

More info about certutil can be found here: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Tools/certutil


  • start by displaying the certificate nicknames, which comes in handy later:
$ certutil -L  -d ~/.sigul

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

fedora-ca                                                    CT,, 
sigul-client-cert                                            u,u,u

The "fedora-ca" is fedora packager cert. The "sigul-client-cert" is the relevant signing certificate. These two certificates combined allow for the delegation of package signing tasks to trusted persons.


NOTE: the fedora-ca is based on your packager cert, which is itself stored in the home directory:

$ fedora-cert --verify
Verifying Certificate
cert expires: 2014-11-10
CRL Checking not implemented yet

NOTE: If you are curious, you could do the above directly

$ grep "Not After" .fedora.cert
            Not After : Nov 10 15:31:45 2014 GMT


$ certutil -K -d ~/.sigul
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa     ... <REDACTED> ...  sigul-client-cert
< 1> rsa     ... <REDACTED> ...  sigul-client-cert

certutil -O -n sigul-client-cert -d ~/.sigul
"fedora-ca" [E=admin@fedoraproject.org,CN=Fedora Project CA,OU=Fedora Project CA,O=Fedora Project,L=Raleigh,ST=North Carolina,C=US]

  "sigul-client-cert" [E=jdisnard@gmail.com,CN=parasense,OU=Fedora User Cert,O=Fedora Project,ST=North Carolina,C=US]