[backend] bs_admin: add option to replace a project's signing key

[bluca]

It is sometimes useful to be able to sign with existing keys, perhaps
due to corporate policies (EG: for EFI Secure Boot).
It is not enough to substitute a project's _signkey and _pubkey on the
filesystem, the database has to be updated or the previous _sslcert
will be used, since that is never stored on the disk.
Add a new --update-project-signing-key option to bs_admin to facilitate
the operation for an administrator.

[adrianschroeter]

the sslcert should become optional.

And you are aware that it needs to match the gpg key? Maybe this should be added to the help.

[adrianschroeter]

please add that the key must have no passphrase.

(mls would even prefer when the encryption would be done by bs_admin instead of having it in the help, but I would also merge it this way :)

[bluca]

@adrianschroeter thanks for the review!

the sslcert should become optional.

Ok, done. Not passing it means it will be removed if present - otherwise it won't match anymore.

And you are aware that it needs to match the gpg key? Maybe this should be added to the help.

Yes - done, better to specify it, I agree.

please add that the key must have no passphrase.

Good point, done.

(mls would even prefer when the encryption would be done by bs_admin instead of having it in the help, but I would also merge it this way :)

It could, but then one would have to copy the private key in plain text on the backend server, where multiple admins might have access, right? This way instead it can be encrypted off box by whoever is responsible (yes it can be decrypted after the fact by the admins of the signer machine, but that's supposed to be separate and restricted).

I can try and make that optional if you feel like it would be useful.

[coolo]

@adrianschroeter ?

[Ana06]

@adrianschroeter what is the state of htis? 😕

[bluca]

@adrianschroeter what is the state of htis?

A bit stuck :-) Please let me know if there's anything else I can do to help get this merged. Thanks!