So my current workflow allows doing everything on soyuz. I tried it out for a couple of packages, it works well and FWICT it's secure. Writeup on the setup below as requested on IRC the other day. ---- Local prerequisites: - Extra socket must be enabled. In arch, that seems to be the case by default. While doing this I discovered that systemd can manage gpg-agent at the user level. To enable that: `systemctl --user enable gpg-agent-extra.socket`. If you're managing this with systemctl, you will also want to do `systemctl --user enable gpg-agent.socket` and probably dirmngr.service as well. When managed with systemd, these sockets will show up in $XDG_RUNTIME_DIR/gnupg. If you have a custom $GNUPGHOME (eg. to move it to ~/.config/gnupg), you'll need to unset that, as it is not possible in gnupg to set the homedir without setting the socketdir. Annoying. You can check the directories with `gpgconf --list-dir` (or `gpgconf --list-dir socketdir specifically). You definitely want the -extra socket. The regular one supports exporting the private key (you definitely don't want that on the remote). The -ssh one is for ssh-agent emulation, something different. In .ssh/config, you want to add the following line to Host pkgbuild.com: RemoteForward /run/user/1xxx/gnupg/S.gpg-agent /run/user/1xxx/gnupg/S.gpg-agent.extra The first path is the path *on the remote* (soyuz). The second is the path on the client machine. You are forwarding your .extra socket to be the gpg-agent socket. Replace the uid/path by the appropriate value of $XDG_RUNTIME_DIR on the respective machines. Specifically, by the value of $(gpgconf --list-dir agent-extra-socket) on the local and $(gpgconf --list-dir agent-socket) on the remote. Finally, as gpg-agent is currently enabled by default for users on soyuz, it needs to be disabled. Disabling isn't even enough, as forwarding the socket seems to be interpreted by systemd as "I want this socket", which in turn triggers gpg-agent. I'm still a little confused about this, but masking gpg-agent does the trick: `systemctl --user mask gpg-agent.service`. This devnulls the service file for your user. Bluewind has already kindly taken care of adding `StreamLocalBindUnlink yes` to the sshd_config, therefore removing the sockets manually on logout is not necessary. You should also make sure that you are not using pinentry-curses in your gpg-agent.conf. That, afaik, won't work over ssh but I didn't test it. J. Leclanche On Thu, Jan 19, 2017 at 12:51 AM, Jan Alexander Steffens via arch-general <arch-general@archlinux.org> wrote:
On Wed, Jan 18, 2017 at 8:21 PM Lukas Jirkovsky via arch-general < arch-general@archlinux.org> wrote:
I use only the ssh agent forwarding ("ForwardAgent yes" in .ssh/config). On pkgbuild.com I build packages using the *-*-build as always. When a package is built, I use a script [1] that downloads the binary packages, signs them and uploads the signatures back to pkgbuild.com. That way I can use communitypkg on pkgbuild.com to upload everything.
I've got something very similar, except:
I only check out the trunks on soyuz. I change the PKGBUILD, build and commit there.
A local script then runs archco, rsyncs the packages from soyuz to local, rsyncs the packages from soyuz to orion, then locally runs commitpkg to sign and release the packages.