On Mon, 25 Mar 2019 at 14:17, Miroslav Suchý <[email protected]> wrote: > > Dne 21. 03. 19 v 13:57 Neal Gompa napsal(a): > > Forgive me, but what does sigul do that signd cannot? I'm unaware of > > any material differences between the two.
Sigul has very strong network isolation against the server and protections on on-disk keys (which are useless without a user passphrase), key binding against hardware (client and/or server-side), supports PKCS11 modules via NSS for the transport layer, and very strong auditing in its logs on what exactly has been signed/decrypted by whom. > > When I started Copr I considered both Sigul and OBS signd. I spent several > hours with Mirek Trmač - original author of > Sigul and we talked about the pros and cons. It is several years, but IIRC: > > Sigul allows better isolation. It even has its own transport layer. When you > want to generate new private key, the > procedure is very strict. (That was cons for Copr as we had to automate this > step). > No one is using Sigul but Fedora and RHEL. I would like to point out that this conclusion is wrong: there are more parties using it, but not many of them are as well-known as Fedora, and most of them do not (want to) publish about their usage of it. > I can even say it is upstream dead, there are only fixes which keep it alive > (like Py3 migration). Additionally, I would not call it dead since I took it over, given that I've been adding new features to it over time. There's not a huge set of new features people have been asking for, so I've only been adding what I do hear about or need myself. > The cons of Sigul is that you must transfer whole file to Sigul, Sigul will > sign it and send whole file back. Quite > painful for some packages which are several hundred MB big. On the other hand > this keeps good track of the files which > were signed. OBS Sign get just checksum and sign the file base on the > checksum. It is fast. > OBS Signd is used by several projects. OBS and Copr are likely the biggest > ones. It is documented (Sigul not). What kind of documentation are you missing? I'd like to point out that the project README contains a reasonable set of instructions on how to get it set up and how to use the most common operations. > And it > gets some enhancements over time - the pace is very slow, but better than > Sigul. > While OBS Signd was designed for OBS it is nicely isolated and can be used as > standalone module. > > My conlusion for Copr was - OBS Signd is secure enough for Copr so we rather > cooperate with other distribution on common > project rather than keeping alive project with unknown future. > > Miroslav > _______________________________________________ > infrastructure mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] _______________________________________________ infrastructure mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
