Hey all,
So, we've got a bit of a problem. The sigul package is not installable in Fedora 29, and pygpgme is half-broken in Fedora 28 and was retired during Fedora 29 development due to constant breakage.
This means that sigul is in danger of being retired in Fedora. Unfortunately, sigul is the only supported signer system for Koji at the moment.
What do we want to do here? It's well-known that sigul does not work with GnuPG 2, though I vaguely recall that some work was done to try to fix this.
Do we want to port sigul to python3-gpg, switching Sigul to Python 3 and the official gpgme bindings so that it works with GnuPG 2?
Or do we want to adapt the bridge to work with obs-signd (which is already used by Copr)?
On 1/21/19 10:13 AM, Neal Gompa wrote:
Hey all,
So, we've got a bit of a problem. The sigul package is not installable in Fedora 29, and pygpgme is half-broken in Fedora 28 and was retired during Fedora 29 development due to constant breakage.
This means that sigul is in danger of being retired in Fedora. Unfortunately, sigul is the only supported signer system for Koji at the moment.
What do we want to do here? It's well-known that sigul does not work with GnuPG 2, though I vaguely recall that some work was done to try to fix this.
Do we want to port sigul to python3-gpg, switching Sigul to Python 3 and the official gpgme bindings so that it works with GnuPG 2?
I would think this would be the way to go, but of course it's up to Patrick.
Or do we want to adapt the bridge to work with obs-signd (which is already used by Copr)?
This is a non starter, obs-signd doesn't do everything that sigul does and we have a number of things that depend on sigul working the way it does.
kevin
On Tue, Jan 29, 2019 at 4:28 PM Kevin Fenzi kevin@scrye.com wrote:
On 1/21/19 10:13 AM, Neal Gompa wrote:
Hey all,
So, we've got a bit of a problem. The sigul package is not installable in Fedora 29, and pygpgme is half-broken in Fedora 28 and was retired during Fedora 29 development due to constant breakage.
This means that sigul is in danger of being retired in Fedora. Unfortunately, sigul is the only supported signer system for Koji at the moment.
What do we want to do here? It's well-known that sigul does not work with GnuPG 2, though I vaguely recall that some work was done to try to fix this.
Do we want to port sigul to python3-gpg, switching Sigul to Python 3 and the official gpgme bindings so that it works with GnuPG 2?
I would think this would be the way to go, but of course it's up to Patrick.
Is this in progress anywhere?
Or do we want to adapt the bridge to work with obs-signd (which is already used by Copr)?
This is a non starter, obs-signd doesn't do everything that sigul does and we have a number of things that depend on sigul working the way it does.
Forgive me, but what does sigul do that signd cannot? I'm unaware of any material differences between the two.
Do we want to port sigul to python3-gpg, switching Sigul to Python 3 and the official gpgme bindings so that it works with GnuPG 2?
I would think this would be the way to go, but of course it's up to Patrick.
Is this in progress anywhere?
https://pagure.io/sigul/blob/master/f/ChangeLog#_1 https://pagure.io/fork/puiterwijk/sigul/commits/py3
Dne 21. 03. 19 v 13:57 Neal Gompa napsal(a):
Forgive me, but what does sigul do that signd cannot? I'm unaware of any material differences between the two.
When I started Copr I considered both Sigul and OBS signd. I spent several hours with Mirek Trmač - original author of Sigul and we talked about the pros and cons. It is several years, but IIRC:
Sigul allows better isolation. It even has its own transport layer. When you want to generate new private key, the procedure is very strict. (That was cons for Copr as we had to automate this step). No one is using Sigul but Fedora and RHEL. I can even say it is upstream dead, there are only fixes which keep it alive (like Py3 migration). The cons of Sigul is that you must transfer whole file to Sigul, Sigul will sign it and send whole file back. Quite painful for some packages which are several hundred MB big. On the other hand this keeps good track of the files which were signed. OBS Sign get just checksum and sign the file base on the checksum. It is fast. OBS Signd is used by several projects. OBS and Copr are likely the biggest ones. It is documented (Sigul not). And it gets some enhancements over time - the pace is very slow, but better than Sigul. While OBS Signd was designed for OBS it is nicely isolated and can be used as standalone module.
My conlusion for Copr was - OBS Signd is secure enough for Copr so we rather cooperate with other distribution on common project rather than keeping alive project with unknown future.
Miroslav
On Mon, 25 Mar 2019 at 14:17, Miroslav Suchý msuchy@redhat.com wrote:
Dne 21. 03. 19 v 13:57 Neal Gompa napsal(a):
Forgive me, but what does sigul do that signd cannot? I'm unaware of any material differences between the two.
Sigul has very strong network isolation against the server and protections on on-disk keys (which are useless without a user passphrase), key binding against hardware (client and/or server-side), supports PKCS11 modules via NSS for the transport layer, and very strong auditing in its logs on what exactly has been signed/decrypted by whom.
When I started Copr I considered both Sigul and OBS signd. I spent several hours with Mirek Trmač - original author of Sigul and we talked about the pros and cons. It is several years, but IIRC:
Sigul allows better isolation. It even has its own transport layer. When you want to generate new private key, the procedure is very strict. (That was cons for Copr as we had to automate this step). No one is using Sigul but Fedora and RHEL.
I would like to point out that this conclusion is wrong: there are more parties using it, but not many of them are as well-known as Fedora, and most of them do not (want to) publish about their usage of it.
I can even say it is upstream dead, there are only fixes which keep it alive (like Py3 migration).
Additionally, I would not call it dead since I took it over, given that I've been adding new features to it over time. There's not a huge set of new features people have been asking for, so I've only been adding what I do hear about or need myself.
The cons of Sigul is that you must transfer whole file to Sigul, Sigul will sign it and send whole file back. Quite painful for some packages which are several hundred MB big. On the other hand this keeps good track of the files which were signed. OBS Sign get just checksum and sign the file base on the checksum. It is fast. OBS Signd is used by several projects. OBS and Copr are likely the biggest ones. It is documented (Sigul not).
What kind of documentation are you missing? I'd like to point out that the project README contains a reasonable set of instructions on how to get it set up and how to use the most common operations.
And it gets some enhancements over time - the pace is very slow, but better than Sigul. While OBS Signd was designed for OBS it is nicely isolated and can be used as standalone module.
My conlusion for Copr was - OBS Signd is secure enough for Copr so we rather cooperate with other distribution on common project rather than keeping alive project with unknown future.
Miroslav _______________________________________________ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedorapro...
Dne 25. 03. 19 v 14:49 Patrick Uiterwijk napsal(a):
Additionally, I would not call it dead since I took it over, given that I've been adding new features to it over time. There's not a huge set of new features people have been asking for, so I've only been adding what I do hear about or need myself.
...
What kind of documentation are you missing? I'd like to point out that the project README contains a reasonable set of instructions on how to get it set up and how to use the most common operations.
Great! I was merely describing the situation in time when I started Copr. I was not correct about those two items, sorry.
Miroslav
infrastructure@lists.fedoraproject.org