From Fedora Project Wiki

< User:Parasense

Revision as of 21:42, 27 July 2014 by Parasense (talk | contribs) (→‎signing notes)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Fedora Certificate

$ fedora-cert --new-cert --username=parasensse

$ fedora-cert --verify
Verifying Certificate
cert expires: 2014-11-10
CRL Checking not implemented yet

NOTE: CRL means "Certificate Revocation List", and involves verifying not just the certificate, but the chain of trust. Basically to check if any certificate in the chain of trust has been marked invalid via a CRL data.


Another way to check the Fedora certificate is directly with OpenSSL 

$ openssl verify -verbose -CAfile ~/.fedora-server-ca.cert ~/.fedora.cert 
/home/jdisnard/.fedora.cert: OK


Fedora certificates exist in the home directory:


signing notes

$ sigul --help-commands
delete-key          Delete a key
modify-key-user     Modify user's key access
list-users          List users
grant-key-access    Grant key access to a user
sign-text           Output a cleartext signature of a text
import-key          Import a key
new-user            Add a user
sign-rpm            Sign a RPM
list-keys           List keys
sign-data           Create a detached signature
revoke-key-access   Revoke key acess from a user
user-info           Show information about a user
change-passphrase   Change key passphrase
list-key-users      List users that can access a key
new-key             Add a key
modify-user         Modify a user
sign-rpms           Sign one or more RPMs
modify-key          Modify a key
delete-user         Delete a user
key-user-info       Show information about user's key access
get-public-key      Output public part of the key


  • Adding passphrase to signing key.
NSS_HASH_ALG_SUPPORT=+MD5 sigul --verbose --user-name=parasense change-passphrase epel-7


  • Inspecting the NSS database with certutil

More info about certutil can be found here: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Tools/certutil


  • start by displaying the certificate nicknames, which comes in handy later:
$ certutil -L  -d ~/.sigul

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

fedora-ca                                                    CT,, 
sigul-client-cert                                            u,u,u

The "fedora-ca" is fedora packager cert. The "sigul-client-cert" is the relevant signing certificate. These two certificates combined allow for the delegation of package signing tasks to trusted persons.


NOTE: the fedora-ca is based on your packager cert, which is itself stored in the home directory: 

$ fedora-cert --verify
Verifying Certificate
cert expires: 2014-11-10
CRL Checking not implemented yet

NOTE: If you are curious, you could do the above directly 

$ grep "Not After" ~/.fedora.cert
            Not After : Nov 10 15:31:45 2014 GMT



$ certutil -K -d ~/.sigul
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa     ... <REDACTED> ...  sigul-client-cert
< 1> rsa     ... <REDACTED> ...  sigul-client-cert

certutil -O -n sigul-client-cert -d ~/.sigul
"fedora-ca" [E=admin@fedoraproject.org,CN=Fedora Project CA,OU=Fedora Project CA,O=Fedora Project,L=Raleigh,ST=North Carolina,C=US]

  "sigul-client-cert" [E=jdisnard@gmail.com,CN=parasense,OU=Fedora User Cert,O=Fedora Project,ST=North Carolina,C=US]
Retrieved from "https://fedoraproject.org/w/index.php?title=User:Parasense/releng&oldid=382934"