base-apt signing interface could be improved

public inbox for isar-users@googlegroups.com
 help / color / mirror / Atom feed

From: Henning Schild <henning.schild@siemens.com>
To: <isar-users@googlegroups.com>
Cc: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
Subject: base-apt signing interface could be improved
Date: Thu, 6 Jun 2019 15:45:58 +0200	[thread overview]
Message-ID: <20190606154558.7eea07bd@md1za8fc.ad001.siemens.net> (raw)

Hi,

i just had a quick look at the implementation of the base-apt signing
for the first time. The interface is not ideal and has potential for
the signing key and the checking key not actually belonging together.

As far as i understand the code i read, Isar will start signing
base-apt if BASE_REPO_KEY is set to anything. The private key it will
use to sign the repo is not specified at all, it will be whatever gnupg
defaults to, given its configuration.

I would suggest to switch from "SignWith yes" to "SignWith <keyid>",
and derive the id from BASE_REPO_KEY.

Further improvements would be to actually configure gnupg inside Isar
and not rely on an outside configuration. Relying on the outside config
means that all (multi)configs will have to use the same keypair.
So we would add

BASE_REPO_KEY_PRIVATE and ..._PASSPHRASE

Now we would create a new gpg homedir next to where we store base-apt.
We would import that one key there and potentially unlock it with its
passphrase. If we clean and rebuild we get a working gpghome for sure.

Henning

next             reply	other threads:[~2019-06-06 13:46 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-06 13:45 Henning Schild [this message]
2019-06-13 16:55 ` Amy_Fong@mentor.com
2019-06-14  8:22   ` Henning Schild
2019-06-14 13:50     ` Amy_Fong@mentor.com
2019-06-17 11:19       ` Henning Schild
2019-06-17 11:36         ` Claudius Heine
2019-06-28  6:30           ` vijaikumar.kanagarajan
2019-06-28  8:14             ` Henning Schild
2019-07-24  8:47               ` Vijai Kumar K
2019-06-27 17:04         ` vijaikumar.kanagarajan
2019-06-28  8:04           ` Henning Schild

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190606154558.7eea07bd@md1za8fc.ad001.siemens.net \
    --to=henning.schild@siemens.com \
    --cc=Vijaikumar_Kanagarajan@mentor.com \
    --cc=isar-users@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox