Sigul - gooseproject/main GitHub Wiki

Sigul signs packages. It does it in a unique way, ensuring the signing key is not compromised, but rather through access controls. The GoOSe signing process exists on two servers.

The server and bridge are configured on toulouse and can only be accessed through our bastion host. There are two services that need to be started here. The sigul_server and sigul_bridge services. Each requires the NSS password previously defined.

TODO: describe setup of sigl server and client

To sign RPMS from koji, we use a script that has been adapted from one provided from the Fedora Project. It's called sigulsign_unsigned.py. Currently, Fedora hardcodes the koji information, so we have adjusted it and put it into the gooseproject/releng repository.

As kojiadmin on roman run:

python /home/kojiadmin/sigulsign_unsigned.py --tag=gl6.0-updates-candidate goose-6.0-gold -v

The tag is specific to the build we are trying to sign. For example, we may use the tag gl6.1-updates-candidate or the like.