Dne 21. 03. 19 v 13:57 Neal Gompa napsal(a):
Forgive me, but what does sigul do that signd cannot? I'm unaware
of
any material differences between the two.
When I started Copr I considered both Sigul and OBS signd. I spent several hours with
Mirek Trmač - original author of
Sigul and we talked about the pros and cons. It is several years, but IIRC:
Sigul allows better isolation. It even has its own transport layer. When you want to
generate new private key, the
procedure is very strict. (That was cons for Copr as we had to automate this step).
No one is using Sigul but Fedora and RHEL. I can even say it is upstream dead, there are
only fixes which keep it alive
(like Py3 migration).
The cons of Sigul is that you must transfer whole file to Sigul, Sigul will sign it and
send whole file back. Quite
painful for some packages which are several hundred MB big. On the other hand this keeps
good track of the files which
were signed. OBS Sign get just checksum and sign the file base on the checksum. It is
fast.
OBS Signd is used by several projects. OBS and Copr are likely the biggest ones. It is
documented (Sigul not). And it
gets some enhancements over time - the pace is very slow, but better than Sigul.
While OBS Signd was designed for OBS it is nicely isolated and can be used as standalone
module.
My conlusion for Copr was - OBS Signd is secure enough for Copr so we rather cooperate
with other distribution on common
project rather than keeping alive project with unknown future.
Miroslav