Bug 514104

Summary: Review Request: sigul - A signing server and related software client
Product: [Fedora] Fedora Reporter: Jesse Keating <jkeating>
Component: Package ReviewAssignee: Dennis Gilmore <dennis>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dcantrell, fedora-package-review, herrold, mitr, notting
Target Milestone: ---Flags: dennis: fedora-review+
j: fedora-cvs+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-29 03:23:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jesse Keating 2009-07-28 01:23:36 UTC 
Spec URL: http://jkeating.fedorapeople.org/review/sigul.spec
SRPM URL: http://jkeating.fedorapeople.org/review/sigul-0.96-2.src.rpm
Description: 

A signing server, which lets authorized users sign data without having any
access to the necessary private key, a client for the server, and a "bridge"
that connects the two.


Rpmlint only complains about nonstandard uid/gid which is ignorable, and about not being able to read the config file, which is on purpose as it may have account password information.
Comment 1 Dennis Gilmore 2009-07-28 02:01:30 UTC 
ill review this
Comment 2 R P Herrold 2009-07-28 02:29:20 UTC 
One of the stated design goals of Mitr was:

https://fedoraproject.org/wiki/User:Mitr
linked off: https://fedorahosted.org/sigul/

No direct access to koji or package repositories 

and yet there is express an koji Requires.

This seems .... not conformant to that goal?

-- Russ herrold
Comment 3 Jesse Keating 2009-07-28 02:40:39 UTC 
It uses the Koji API and public urls to download content and upload signed headers.  What it doesn't require, unlike our own signing software, was an nfs mount to the koji package store.  The term 'direct' here meant a mount on the system.

Koji isn't a hard requirement, sigul can be used to sign things like rpms passed in by the client and return them to the client, bypassing koji all together.  Our usage in Fedora though will be with a koji system.
Comment 4 Dennis Gilmore 2009-07-28 21:52:24 UTC 
rpmlint  gives the following warnings/errors 

sigul.noarch: W: non-standard-gid /etc/sigul/server.conf sigul
sigul.noarch: E: non-readable /etc/sigul/server.conf 0640
sigul.noarch: W: non-standard-uid /var/lib/sigul sigul
sigul.noarch: W: non-standard-gid /var/lib/sigul sigul
sigul.noarch: E: non-standard-dir-perm /var/lib/sigul 0700
sigul.noarch: W: non-standard-uid /var/lib/sigul/gnupg sigul
sigul.noarch: W: non-standard-gid /var/lib/sigul/gnupg sigul
sigul.noarch: E: non-standard-dir-perm /var/lib/sigul/gnupg 0700
sigul.noarch: W: non-standard-gid /etc/sigul/bridge.conf sigul
sigul.noarch: E: non-readable /etc/sigul/bridge.conf 0640
2 packages and 0 specfiles checked; 4 errors, 6 warnings.

I think given the nature of the program that they are all ok

builds fine in mock on F-11

as noted in the spec teh tarball is not yet uploaded to fedorahosted.

spec is clear legible and in english.

Approved
Comment 5 Jesse Keating 2009-07-29 03:10:22 UTC 
New Package CVS Request
=======================
Package Name: sigul
Short Description: A signing server and related software client
Owners: jkeating mitr
Branches: EL-5 F-11
InitialCC:
Comment 6 Jason Tibbitts 2009-07-29 03:11:50 UTC 
CVS done.
Comment 7 Jesse Keating 2009-07-29 03:23:28 UTC 
And built for rawhide.  Cheers!