From Fedora Project Wiki
(Created page with "{{admon/warning|Draft SOP|This SOP is not yet finalized. You are likely to be eaten by a grue.}} This document describes how to configure a sigul client. For more information...") |
Maxamillion (talk | contribs) No edit summary |
||
| (6 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
{{admon/ | {{admon/important|This page is deprecated| All Fedora Release Engineering Documentation has moved [https://docs.pagure.org/releng/ here] with source hosted along side the code in the [https://pagure.io/releng releng pagure repository]}} | ||
This document describes how to configure a sigul client. For more information on sigul, please see [[User:Mitr]]. | This document describes how to configure a sigul client. For more information on sigul, please see [[User:Mitr]]. | ||
| Line 10: | Line 10: | ||
# yum install sigul | # yum install sigul | ||
</pre></li> | </pre></li> | ||
<li>Ensure that your koji certificates are present on the system that you're running the sigul client from. | <li>Ensure that your koji certificate and the Fedora CA certificates are present on the system that you're running the sigul client from at the following locations: | ||
* <code>~/.fedora.cert</code> | |||
* <code>~/.fedora-server-ca.cert</code> | |||
* <code>~/.fedora-upload-ca.cert</code> | |||
<li>admin privileges on koji are required to write signatures. | <li>admin privileges on koji are required to write signatures. | ||
<li>If you are running RHEL 6, add 'export NSS_HASH_ALG_SUPPORT=+MD5' to your ~/.bashrc.</li> | <li>If you are running RHEL 6, add 'export NSS_HASH_ALG_SUPPORT=+MD5' to your ~/.bashrc.</li> | ||
| Line 37: | Line 40: | ||
bridge-hostname: secondary-signer | bridge-hostname: secondary-signer | ||
server-hostname: secondary-signer-server | server-hostname: secondary-signer-server | ||
</pre> | |||
[koji] | |||
# Config file used to connect to the Koji hub | |||
; koji-config: ~/.koji/config | |||
# # Recognized alternative instances | |||
koji-instances: ppc s390 arm | |||
koji-config-ppc: /etc/koji/ppc-config | |||
koji-config-s390: /etc/koji/s390-config | |||
koji-config-arm: /etc/koji/arm-config | |||
</pre> | |||
= Updating your Fedora certificate = | = Updating your Fedora certificate = | ||
| Line 44: | Line 59: | ||
<pre> | <pre> | ||
$ certutil -d ~/.sigul -D -n sigul-client-cert | $ certutil -d ~/.sigul -D -n sigul-client-cert | ||
$ sigul_setup_client | $ NSS_HASH_ALG_SUPPORT=+MD5 sigul_setup_client | ||
</pre> | </pre> | ||
[[Category:Release Engineering SOPs]] | [[Category:Release Engineering SOPs]] | ||
Revision as of 17:57, 3 November 2015
This page is deprecated
All Fedora Release Engineering Documentation has moved here with source hosted along side the code in the releng pagure repository
All Fedora Release Engineering Documentation has moved here with source hosted along side the code in the releng pagure repository
This document describes how to configure a sigul client. For more information on sigul, please see User:Mitr.
Prerequisites
- Install sigul and its dependencies. It is available in both Fedora and EPEL:
# yum install sigul
- Ensure that your koji certificate and the Fedora CA certificates are present on the system that you're running the sigul client from at the following locations:
~/.fedora.cert~/.fedora-server-ca.cert~/.fedora-upload-ca.cert
- admin privileges on koji are required to write signatures.
- If you are running RHEL 6, add 'export NSS_HASH_ALG_SUPPORT=+MD5' to your ~/.bashrc.
Configuration
- Run sigul_setup_client
- Choose a password for your NSS database. By default this will be stored on-disk in ~/.sigul/client.conf.
- Choose an export password. You will only need to remember it until finishing sigul_setup_client.
- Enter the DB password you chose earlier, then the export password. You should see the message "pk12util: PKCS12 IMPORT SUCCESSFUL"
- Enter the DB password again. You should see the message "Done".
- Assuming that you are running the sigul client within phx2, edit ~/.sigul/client.conf to include the following lines:
[client] bridge-hostname: sign-bridge1 server-hostname: sign-vault1
Configuration for Secondary Architectures
All steps remain the same, however you will need admin privileges on your secondary koji instance (not primary's). When editing ~/sigul/client.conf, use:
[client] bridge-hostname: secondary-signer server-hostname: secondary-signer-server [koji] # Config file used to connect to the Koji hub ; koji-config: ~/.koji/config # # Recognized alternative instances koji-instances: ppc s390 arm koji-config-ppc: /etc/koji/ppc-config koji-config-s390: /etc/koji/s390-config koji-config-arm: /etc/koji/arm-config
Updating your Fedora certificate
When your Fedora certificate expires, after updating it run the following commands:
$ certutil -d ~/.sigul -D -n sigul-client-cert $ NSS_HASH_ALG_SUPPORT=+MD5 sigul_setup_client