Skip to content

Commit

Permalink
Merge pull request #13825 from adrianschroeter/rsa48
Browse files Browse the repository at this point in the history 
[dist] create also a 4k rsa key on the appliance
  • Loading branch information
@adrianschroeter
adrianschroeter authored Feb 10, 2023
2 parents de950c0 + 687037a commit 0c1cb76
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 8 deletions.
8 changes: 4 additions & 4 deletions dist/functions.setup-appliance.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -356,7 +356,7 @@ function check_server_key {
if [ ! -e $backenddir/certs/server.key ]; then
logline "Creating $backenddir/certs/server.key"
install -d -m 0700 $backenddir/certs
openssl genrsa -out $backenddir/certs/server.key 2048 2>/dev/null
openssl genrsa -out $backenddir/certs/server.key 4096 2>/dev/null
else
logline "Found $backenddir/certs/server.key"
fi
Expand Down Expand Up @@ -559,9 +559,9 @@ function prepare_obssigner {
cat >/tmp/obs-gpg.$$ <<EOF
%echo Generating a default OBS instance key
Key-Type: RSA
Key-Length: 2048
Key-Length: 4096
Subkey-Type: ELG-E
Subkey-Length: 2048
Subkey-Length: 4096
Name-Real: private OBS
Name-Comment: key without passphrase
Name-Email: defaultkey@localobs
Expand All @@ -572,6 +572,7 @@ function prepare_obssigner {
EOF
gpg2 --homedir $backenddir/gnupg --batch --gen-key /tmp/obs-gpg.$$
gpg2 --homedir $backenddir/gnupg --export -a > "$backenddir"/obs-default-gpg.asc
rm /tmp/obs-gpg.$$
# empty file just for accepting the key
touch "$backenddir/gnupg/phrases/defaultkey@localobs"
fi
Expand All @@ -585,7 +586,6 @@ EOF
echo "allow: 127.0.0.1" >> /etc/sign.conf
echo "phrases: $backenddir/gnupg/phrases" >> /etc/sign.conf
echo done
rm /tmp/obs-gpg.$$
sed -i 's,^# \(our $sign =.*\),\1,' /usr/lib/obs/server/BSConfig.pm
# ensure that $OBS_SIGND gets restarted if already started
systemctl is-active $OBS_SIGND 2>&1 > /dev/null
Expand Down
16 changes: 12 additions & 4 deletions src/backend/BSSrcServer/Signkey.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,9 @@ sub createkey {
my $obsname = $BSConfig::obsname || 'build.opensuse.org';
my $name = "$projid OBS Project";
my $email = "$projid\@$obsname";
my $pubkey = BSUtil::xsystem(undef, $BSConfig::sign, @signargs, '-g', @keyargs, $name, $email);
my $pubkey;
eval { $pubkey = BSUtil::xsystem(undef, $BSConfig::sign, @signargs, '-g', @keyargs, $name, $email) };
die("sign: $@") if $@;
my $signkey = readstr("$uploaddir/signkey.$$", 1);
unlink("$uploaddir/signkey.$$");
die("sign did not create signkey\n") unless $signkey;
Expand All @@ -64,7 +66,9 @@ sub extendkey {
my @signargs;
push @signargs, '--project', $projid if $BSConfig::sign_project;
push @signargs, '-P', $signkeyfile;
my $pubkey = BSUtil::xsystem(undef, $BSConfig::sign, @signargs, '-x', @keyargs, $pubkeyfile);
my $pubkey;
eval { $pubkey = BSUtil::xsystem(undef, $BSConfig::sign, @signargs, '-x', @keyargs, $pubkeyfile) };
die("sign: $@") if $@;
die("sign did not return pubkey\n") unless $pubkey;
return $pubkey;
}
Expand Down Expand Up @@ -93,7 +97,9 @@ sub getdefaultcert {
my @signargs;
push @signargs, '--project', $projid if $BSConfig::sign_project;
push @signargs, '--signtype', $signtype if $BSConfig::sign_type && $signtype;
my $cert = BSUtil::xsystem(undef, $BSConfig::sign, @signargs, '-C');
my $cert;
eval { $cert = BSUtil::xsystem(undef, $BSConfig::sign, @signargs, '-C') };
die("sign: $@") if $@;
return $cert;
}

Expand All @@ -103,7 +109,9 @@ sub getdefaultpubkey {
return undef unless $BSConfig::sign;
my @signargs;
push @signargs, '--project', $projid if $BSConfig::sign_project;
my $pubkey = BSUtil::xsystem(undef, $BSConfig::sign, @signargs, '-p');
my $pubkey;
eval { $pubkey = BSUtil::xsystem(undef, $BSConfig::sign, @signargs, '-p') };
die("sign: $@") if $@;
return $pubkey;
}

Expand Down

0 comments on commit 0c1cb76

Please sign in to comment.