From Fedora Project Wiki
(Created page with "{{admon/warning|Draft SOP|This SOP is not yet finalized. You are likely to be eaten by a grue.}} This document describes how to configure a sigul client. For more information...") |
Maxamillion (talk | contribs) No edit summary |
||
(6 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
{{admon/ | {{admon/important|This page is deprecated| All Fedora Release Engineering Documentation has moved [https://docs.pagure.org/releng/ here] with source hosted along side the code in the [https://pagure.io/releng releng pagure repository]}} | ||
This document describes how to configure a sigul client. For more information on sigul, please see [[User:Mitr]]. | This document describes how to configure a sigul client. For more information on sigul, please see [[User:Mitr]]. | ||
Line 10: | Line 10: | ||
# yum install sigul | # yum install sigul | ||
</pre></li> | </pre></li> | ||
<li>Ensure that your koji certificates are present on the system that you're running the sigul client from. | <li>Ensure that your koji certificate and the Fedora CA certificates are present on the system that you're running the sigul client from at the following locations: | ||
* <code>~/.fedora.cert</code> | |||
* <code>~/.fedora-server-ca.cert</code> | |||
* <code>~/.fedora-upload-ca.cert</code> | |||
<li>admin privileges on koji are required to write signatures. | <li>admin privileges on koji are required to write signatures. | ||
<li>If you are running RHEL 6, add 'export NSS_HASH_ALG_SUPPORT=+MD5' to your ~/.bashrc.</li> | <li>If you are running RHEL 6, add 'export NSS_HASH_ALG_SUPPORT=+MD5' to your ~/.bashrc.</li> | ||
Line 37: | Line 40: | ||
bridge-hostname: secondary-signer | bridge-hostname: secondary-signer | ||
server-hostname: secondary-signer-server | server-hostname: secondary-signer-server | ||
</pre> | |||
[koji] | |||
# Config file used to connect to the Koji hub | |||
; koji-config: ~/.koji/config | |||
# # Recognized alternative instances | |||
koji-instances: ppc s390 arm | |||
koji-config-ppc: /etc/koji/ppc-config | |||
koji-config-s390: /etc/koji/s390-config | |||
koji-config-arm: /etc/koji/arm-config | |||
</pre> | |||
= Updating your Fedora certificate = | = Updating your Fedora certificate = | ||
Line 44: | Line 59: | ||
<pre> | <pre> | ||
$ certutil -d ~/.sigul -D -n sigul-client-cert | $ certutil -d ~/.sigul -D -n sigul-client-cert | ||
$ sigul_setup_client | $ NSS_HASH_ALG_SUPPORT=+MD5 sigul_setup_client | ||
</pre> | </pre> | ||
[[Category:Release Engineering SOPs]] | [[Category:Release Engineering SOPs]] |
Revision as of 17:57, 3 November 2015
This document describes how to configure a sigul client. For more information on sigul, please see User:Mitr.
Prerequisites
- Install sigul and its dependencies. It is available in both Fedora and EPEL:
# yum install sigul
- Ensure that your koji certificate and the Fedora CA certificates are present on the system that you're running the sigul client from at the following locations:
~/.fedora.cert
~/.fedora-server-ca.cert
~/.fedora-upload-ca.cert
- admin privileges on koji are required to write signatures.
- If you are running RHEL 6, add 'export NSS_HASH_ALG_SUPPORT=+MD5' to your ~/.bashrc.
Configuration
- Run sigul_setup_client
- Choose a password for your NSS database. By default this will be stored on-disk in ~/.sigul/client.conf.
- Choose an export password. You will only need to remember it until finishing sigul_setup_client.
- Enter the DB password you chose earlier, then the export password. You should see the message "pk12util: PKCS12 IMPORT SUCCESSFUL"
- Enter the DB password again. You should see the message "Done".
- Assuming that you are running the sigul client within phx2, edit ~/.sigul/client.conf to include the following lines:
[client] bridge-hostname: sign-bridge1 server-hostname: sign-vault1
Configuration for Secondary Architectures
All steps remain the same, however you will need admin privileges on your secondary koji instance (not primary's). When editing ~/sigul/client.conf, use:
[client] bridge-hostname: secondary-signer server-hostname: secondary-signer-server [koji] # Config file used to connect to the Koji hub ; koji-config: ~/.koji/config # # Recognized alternative instances koji-instances: ppc s390 arm koji-config-ppc: /etc/koji/ppc-config koji-config-s390: /etc/koji/s390-config koji-config-arm: /etc/koji/arm-config
Updating your Fedora certificate
When your Fedora certificate expires, after updating it run the following commands:
$ certutil -d ~/.sigul -D -n sigul-client-cert $ NSS_HASH_ALG_SUPPORT=+MD5 sigul_setup_client