[arch-general] Package signing on soyuz

Thu Jan 19 00:31:02 UTC 2017

So my current workflow allows doing everything on soyuz. I tried it
out for a couple of packages, it works well and FWICT it's secure.
Writeup on the setup below as requested on IRC the other day.

----

Local prerequisites:

- Extra socket must be enabled. In arch, that seems to be the case by
default. While doing this I discovered that systemd can manage
gpg-agent at the user level. To enable that: `systemctl --user enable
gpg-agent-extra.socket`. If you're managing this with systemctl, you
will also want to do `systemctl --user enable gpg-agent.socket` and
probably dirmngr.service as well.

When managed with systemd, these sockets will show up in
$XDG_RUNTIME_DIR/gnupg. If you have a custom $GNUPGHOME (eg. to move
it to ~/.config/gnupg), you'll need to unset that, as it is not
possible in gnupg to set the homedir without setting the socketdir.
Annoying. You can check the directories with `gpgconf --list-dir` (or
`gpgconf --list-dir socketdir specifically).

You definitely want the -extra socket. The regular one supports
exporting the private key (you definitely don't want that on the
remote). The -ssh one is for ssh-agent emulation, something different.

In .ssh/config, you want to add the following line to Host pkgbuild.com:

RemoteForward /run/user/1xxx/gnupg/S.gpg-agent
/run/user/1xxx/gnupg/S.gpg-agent.extra

The first path is the path *on the remote* (soyuz). The second is the
path on the client machine. You are forwarding your .extra socket to
be the gpg-agent socket. Replace the uid/path by the appropriate value
of $XDG_RUNTIME_DIR on the respective machines. Specifically, by the
value of $(gpgconf --list-dir agent-extra-socket) on the local and
$(gpgconf --list-dir agent-socket) on the remote.

Finally, as gpg-agent is currently enabled by default for users on
soyuz, it needs to be disabled. Disabling isn't even enough, as
forwarding the socket seems to be interpreted by systemd as "I want
this socket", which in turn triggers gpg-agent.
I'm still a little confused about this, but masking gpg-agent does the
trick: `systemctl --user mask gpg-agent.service`. This devnulls the
service file for your user.

Bluewind has already kindly taken care of adding
`StreamLocalBindUnlink yes` to the sshd_config, therefore removing the
sockets manually on logout is not necessary.

You should also make sure that you are not using pinentry-curses in
your gpg-agent.conf. That, afaik, won't work over ssh but I didn't
test it.

J. Leclanche

On Thu, Jan 19, 2017 at 12:51 AM, Jan Alexander Steffens via
arch-general <arch-general at archlinux.org> wrote:
> On Wed, Jan 18, 2017 at 8:21 PM Lukas Jirkovsky via arch-general <
> arch-general at archlinux.org> wrote:
>
>> I use only the ssh agent forwarding ("ForwardAgent yes" in
>> .ssh/config). On pkgbuild.com I build packages using the *-*-build as
>> always. When a package is built, I use a script [1] that downloads the
>> binary packages, signs them and uploads the signatures back to
>> pkgbuild.com. That way I can use communitypkg on pkgbuild.com to
>> upload everything.
>>
>
> I've got something very similar, except:
>
> I only check out the trunks on soyuz. I change the PKGBUILD, build and
> commit there.
>
> A local script then runs archco, rsyncs the packages from soyuz to local,
> rsyncs the packages from soyuz to orion, then locally runs commitpkg to
> sign and release the packages.