Further OBS Signing Configurations

You need to apply the patch from obs-sign to gnupg.
- The patch is available at https://github.com/openSUSE/obs-sign.git ( gnupg-1.4.7-files_are_digests.patch )
- Or download at https://raw.githubusercontent.com/openSUSE/obs-sign/master/gnupg-1.4.7-files_are_digests.patch
The patch is intended for 1.4.7, but the author used 1.4.16 (Ubuntu 14.04) with some additional modifications.
Apply the patch to your gnupg source
- In recent gnupg, g10/sign.c requires additional changes:
  - add #include "../include/host2net.h"
  - modify buffer_to_u32 to buf32_to_u32
Recompile gnupg
Install the modified & recompiled gnupg to your system.

Download https://github.com/openSUSE/obs-sign.git
Do what dist/obs-signd.spec says (if your system does not use RPM). It's pretty short and straightforward.
Modify dist/obssignd to configure /etc/init.d/obssignd for your system.
- For example, in Ubuntu 14.04, modify the main daemon-start part to:
  - start-stop-daemon --start --background --no-close --exec ${SN_BIN} -p ${PID} -- ${SN_OPTS} > "$logdir"/signd.log
Run the "obssignd" daemon along with obssigner

Edit /usr/lib/obs/server/BSConfig.pm (The official openSUSE guide configures a public key per project)

······

our $sign = "/usr/bin/sign";
our $sign_project = 0;
our $keyfile = "/etc/ourkeyfile.asc";
our $forceprojectkeys = 0;

······

······

$ for X in `osc ls`; do osc signkey --delete $X; done

······

- Projects published after this will use the public key configured as in the openSUSE official guide (/etc/ourkeyfile.asc)

Note that MIC automatically checks the corresponding public key.
- It rejects creating images if the public key is not recognized.
- You need to import the public key in your system ($ gpg --import keyfile)

Verifying repmod.xml (both repmod.xml and repmod.xml.asc should exist in the current path)
- $ gpg --verify repmod.xml.asc

Contents