Saturday, January 28, 2012

Sigul Key Server Setup - Part 1

Ok, am going through the process of setting up a sigul key signing server. Am using the following two resources for the initial setup. Given how important this piece of the puzzle is, care and caution needs to be taken here.

Sigul setup instructions form Open Source @ Seneca Centre for Development of Open Technology

Fedora Project pages on how to use Sigul

Sigul uses a CA to generate SSL certs for the server, bridge, and clients to authenticate and encrypt communications. The server itself provides GPG keys for signing packages. In this case, I am going to setup a separate CA for sigul with respect to the CA we use for koji. The reasoning here is that koji's CA is used often, to create end user certs for access into koji. That means it's exposed often to an admin, either directly via the cli or indirectly via a webapp or other utility, when user certs are created.

The sigul CA should be kept fairly isolated in my opinion, since it's only used to add new server, bridge, and client instances. These additions should be fairly rare. Exposing the sigul CA often, as when a new end user cert is being created, opens up opportunities to create new certs that could be used to get rogue sigul clients the ability to get unauthorized rpms signed with our keys.

The bridge setup is pretty much spot on from the Seneca Sigul Setup link above. One thing you may have to do is change the sigul user's default shell in order to create the db as the sigul user using the defaults from the Fedora install of the packages.

usermod -s /bin/bash sigul
Next for the server setup. First problem I need to resolve is that the server we're using for the sigul is an EL5 system. Python's sqlalchemy module that ships with EL5 is 0.3.11. There is an updated version in EPEL that also has a slightly different name - python-sqlalchemy0.5-0.5.8. Not sure if this is what's causing this error, I suspect so:

# sigul_server_create_db
Traceback (most recent call last):
  File "/usr/share/sigul/server_create_db.py", line 21, in ?
    import server_common
  File "/usr/share/sigul/server_common.py", line 107, in ?
    sa.Column('name', sa.Text, nullable=False,
AttributeError: 'module' object has no attribute 'Text'
I've installed the EPEL python-sqlalchemy and just doing that did not solve the issue. I also cannot un-install the python-sqlalchemy provided with the OS. I am pretty sure that the issue here is that version of sqlalchemy on the OS is missing the functionality that we need for sigul tools.

To be continued...

3 comments:

Unknown said...

Seems the error you are getting is because sqlalchemy (aliased to 'sa' on line 107 and beyond) doesn't have a Text member in its class. However, the TEXT member seems to work.

I think it might be a bug in sigul.

Unknown said...
This comment has been removed by the author.
Miloslav said...

For the RHEL5 versions (<= 0.97) you need python-sqlachemy 0.4; Fedora has a separate "infrastructure repo" that contains packages necessary on their servers but not available in RHEL, see http://infrastructure.fedoraproject.org/5/ .

RHEL6 (>= 0.98) requires gnupg 1.x; this is available at http://people.redhat.com/mitr/rpmsigner/rhel6/ .

BTW, feel free to contact me at mitr@redhat.com . I realize the setup can be difficult.