[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

buildd autosigning


so, this is about implemented. Needs a little work from DSA (to sync
around the machines), which needs some more time, they are just about
starting to look at that.

So I guess it will be in real usage somewhat a little later today or
early tomorrow, depending on when the keyrings appear in the right

I will also cron it, probably run out of cron.hourly on our side. But
keep in mind that this builds up a set of files which is then synced off
by DSA, which then transfer those to the usual /srv/keyrings location,
so a key won't be immediately available. Best is to make sure you start
a key rollover something like a week or so before the old key expires.

In the meantime, let me reiterate over how the stuff is supposed to go
and how wbadm can deal with it:

First, the rules attached to this:
- the buildd host must be maintained by DSA
- the key must have a size of 4096 or higher and must never leave the
  buildd (well, the private part :) )
- the key expires within 120 days
- there are not more than 2 keys per buildd (so you can do a key

The way you get the keys to us is by placing them into 


using a filename of




depending on the work you want it to do. wbadm can write there.
Ending key adds keys, del removes.

The contents of those files have to be clearsigned by a key in the
"admin" keyring, which currently contains all wbadm keys as well as the
ftpmasters. For the .key file the contents are a plain gpg --export -a
of the key, for the .del file it is two lines:

comment: whatevercommentyoucanimagineandmakessense

And thats about it.

bye, Joerg
<sgran about debianqueued>
Its not's exactly well factored code.

Attachment: pgpKBZLcj4tst.pgp
Description: PGP signature

Reply to: