Topics

Signing fd.io package builds


David Jorm <david.jorm@...>
 

Hi All

Congratulations on the first major release! I installed the CentOS RPMs, and noticed that they are not signed:

$ rpm -qpi vpp-16.06-release.x86_64.rpm
Name        : vpp
Version     : 16.06
Release     : release
Architecture: x86_64
Install Date: (not installed)
Group       : Unspecified
Size        : 3451363
License     : MIT
Signature   : (none)
Source RPM  : vpp-16.06-release.src.rpm
Build Date  : Fri 17 Jun 2016 02:57:08 AM AEST
Build Host  : centos-7-53d
Relocations : (not relocatable)
Summary     : Vector Packet Processing
Description :
This package provides VPP executables: vpp, vpp_api_test, vpp_json_test
vpp - the vector packet engine
vpp_api_test - vector packet engine API test tool
vpp_json_test - vector packet engine JSON test tool

It would be valuable from a security perspective to implement signing as part of the build process. I can provide advice on how to do this if it's helpful.

Thanks
David


Edward Warnicke
 

David,

If you could point me to a good set of instructions on doing so, I'm more than willing to make the effort to get them signed :)

Ed

On Mon, Jun 20, 2016 at 6:53 AM, David Jorm <david.jorm@...> wrote:
Hi All

Congratulations on the first major release! I installed the CentOS RPMs, and noticed that they are not signed:

$ rpm -qpi vpp-16.06-release.x86_64.rpm
Name        : vpp
Version     : 16.06
Release     : release
Architecture: x86_64
Install Date: (not installed)
Group       : Unspecified
Size        : 3451363
License     : MIT
Signature   : (none)
Source RPM  : vpp-16.06-release.src.rpm
Build Date  : Fri 17 Jun 2016 02:57:08 AM AEST
Build Host  : centos-7-53d
Relocations : (not relocatable)
Summary     : Vector Packet Processing
Description :
This package provides VPP executables: vpp, vpp_api_test, vpp_json_test
vpp - the vector packet engine
vpp_api_test - vector packet engine API test tool
vpp_json_test - vector packet engine JSON test tool

It would be valuable from a security perspective to implement signing as part of the build process. I can provide advice on how to do this if it's helpful.

Thanks
David

_______________________________________________
tsc mailing list
tsc@...
https://lists.fd.io/mailman/listinfo/tsc


David Jorm <david.jorm@...>
 

Here is a simple process I created for the CloudRouter project:

https://cloudrouter.org/cloudrouter/releases/2015/02/10/signing-rpms-using-the-nitrokey-hardware-security-module-hsm.html

Usage of a HSM is optional, you could just use a software key if that makes it easier.

Thanks
David

On Mon, Jun 20, 2016 at 4:51 PM, Edward Warnicke <hagbard@...> wrote:
David,

If you could point me to a good set of instructions on doing so, I'm more than willing to make the effort to get them signed :)

Ed

On Mon, Jun 20, 2016 at 6:53 AM, David Jorm <david.jorm@...> wrote:
Hi All

Congratulations on the first major release! I installed the CentOS RPMs, and noticed that they are not signed:

$ rpm -qpi vpp-16.06-release.x86_64.rpm
Name        : vpp
Version     : 16.06
Release     : release
Architecture: x86_64
Install Date: (not installed)
Group       : Unspecified
Size        : 3451363
License     : MIT
Signature   : (none)
Source RPM  : vpp-16.06-release.src.rpm
Build Date  : Fri 17 Jun 2016 02:57:08 AM AEST
Build Host  : centos-7-53d
Relocations : (not relocatable)
Summary     : Vector Packet Processing
Description :
This package provides VPP executables: vpp, vpp_api_test, vpp_json_test
vpp - the vector packet engine
vpp_api_test - vector packet engine API test tool
vpp_json_test - vector packet engine JSON test tool

It would be valuable from a security perspective to implement signing as part of the build process. I can provide advice on how to do this if it's helpful.

Thanks
David

_______________________________________________
tsc mailing list
tsc@...
https://lists.fd.io/mailman/listinfo/tsc