Opened 8 years ago

Closed 2 years ago

#108 closed enhancement (fixed)

Signature on Debian should be able to use a conf file passphrase

Reported by: bruno Owned by: bruno
Priority: major Milestone: 0.14.2
Component: pb Version: 0.11.3
Keywords: Cc:

Description

Signature on Debian should be able to use a conf file passphrase as on RPM, using the same params, to avoid having passwd asked interactively during build if user want so

Change History (10)

comment:1 Changed 8 years ago by bruno

  • Milestone changed from 0.11.4 to 0.11.5

comment:2 Changed 8 years ago by bruno

  • Milestone 0.11.5 deleted

Milestone 0.11.5 deleted

comment:3 Changed 6 years ago by bruno

  • Milestone set to 0.12.3
  • Status changed from new to assigned

There is an issue to sign deb packages, as the signature infra shold be on the delivery server, which is contrary to how pb behaves (the delivery server is not trusted). So for RPMs signature is done after packages are brought back from VM, locally signed (trusted) and pushed. That doesn't seem to be possible for deb packages.

Will need to find a workaround (maybe have a local deb infrastructure to sign debs before pushing all what is required). Would need the help of a savy Debian developer.

comment:4 Changed 4 years ago by bruno

Thanks to Marco Gaiarin I had that feedback:

Looking around lead me to:

https://wiki.debian.org/SecureApt#Setting_up_a_secure_apt_repository

so seems to me that, if you generate 'Release' files on the public ftp, the only way is to, by some way, copy back that file to your box, sign it, and copy to ftp 'Release.gpg'.

Last edited 4 years ago by bruno (previous) (diff)

comment:5 Changed 4 years ago by bruno

The solution for this is to use SSHFS between the build system and the delivery machine. That will solve the problem for good.

Last edited 3 years ago by bruno (previous) (diff)

comment:6 Changed 3 years ago by bruno

  • Milestone changed from 0.13.2 to 0.13.3

comment:7 Changed 3 years ago by bruno

With rev [2109] the proposal evoked by Marco has been implemented. To be tested with a Debian system to check it works as expected. Will be in 0.14.1.

The SSHFS possibility is still interesting and will be looked at later.

comment:8 Changed 3 years ago by bruno

0.14.1 doesn't solve it fully:

$ sudo apt-get update
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [94.5 kB]
Hit:2 http://us.archive.ubuntu.com/ubuntu xenial InRelease
Get:3 http://us.archive.ubuntu.com/ubuntu xenial-updates InRelease [95.7 kB]
Hit:4 http://us.archive.ubuntu.com/ubuntu xenial-backports InRelease
Get:5 ftp://ftp.mondorescue.org//ubuntu 16.04 InRelease
Ign:5 ftp://ftp.mondorescue.org//ubuntu 16.04 InRelease
Get:6 ftp://ftp.mondorescue.org//ubuntu 16.04 Release [2,507 B]
Get:7 ftp://ftp.mondorescue.org//ubuntu 16.04 Release.gpg [196 B]
Ign:7 ftp://ftp.mondorescue.org//ubuntu 16.04 Release.gpg
Get:8 ftp://ftp.mondorescue.org//ubuntu 16.04/contrib Sources [3,557 B]
Get:9 ftp://ftp.mondorescue.org//ubuntu 16.04/contrib amd64 Packages [2,996 B]
Fetched 199 kB in 23s (8,553 B/s)
Reading package lists... Done
W: GPG error: ftp://ftp.mondorescue.org//ubuntu 16.04 Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 141B9FF237DB9883
W: The repository 'ftp://ftp.mondorescue.org//ubuntu 16.04 Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch ftp://ftp.mondorescue.org//ubuntu/dists/16.04/Release  Unable to find expected entry 'contrib/binary-i386/Packages' in Release file (Wrong sources.list entry or malformed
file)
E: Some index files failed to download. They have been ignored, or old ones used instead.

Context:

$ cat /etc/os-release
NAME="Ubuntu"
VERSION="16.04.1 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.1 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
UBUNTU_CODENAME=xenial

comment:9 Changed 2 years ago by bruno

Seems to work fine with 0.14.2 beta. Still think SSHFS could be quicker, but will do that later. Closing for now.

comment:10 Changed 2 years ago by bruno

  • Resolution set to fixed
  • Status changed from assigned to closed
Note: See TracTickets for help on using tickets.