Difference between revisions of "IGTF:Distribution Build"

From PDP/Grid Wiki
Jump to navigationJump to search
Line 50: Line 50:
  
 
= Signing keys =
 
= Signing keys =
 +
 +
The IGTF uses the EUGridPMA Signing Key #3 for signing the distribution, RPMs and Debian repo files:
 +
pub  1024D/3CDBBC71 2005-07-12
 +
      Key fingerprint = D12E 9228 22BE 64D5 0146  188B C32D 99C8 3CDB BC71
 +
uid                  EUGridPMA Distribution Signing Key 3 <info@eugridpma.org>
 +
The RPM macros file should read:
 +
%_topdir                /home/davidg/rpmbuild
 +
%_tmppath              /home/davidg/rpmbuild/tmp
 +
%_signature gpg
 +
%_gpg_path /home/davidg/.gnupg/
 +
%_gpg_name 3CDBBC71
 +
where ~/.gnupg is a symlink to the USB mount point of the secure key, and the following directories must exist for rpmbuild to succeed
 +
mkdir -p /home/davidg/rpmbuild/
 +
mkdir -p /home/davidg/rpmbuild/SOURCES
 +
mkdir -p /home/davidg/rpmbuild/SPECS
 +
mkdir -p /home/davidg/rpmbuild/SRPMS
 +
mkdir -p /home/davidg/rpmbuild/RPMS
 +
mkdir -p /home/davidg/rpmbuild/RPMS/noarch
 +
mkdir -p /home/davidg/rpmbuild/BUILD
 +
mkdir -p /home/davidg/rpmbuild/tmp
  
 
= Publication Repositories =
 
= Publication Repositories =
  
 
= EGI Interactions =
 
= EGI Interactions =

Revision as of 10:21, 22 July 2011

The International Grid Trust Federastion (IGTF) maintains a distribution of trust anchors for use by relying parties, based on a Common Source maintained by the chairs or trusted introducers of the member PMAs: David Groep for the EUGridPMA, Mike Helm for the TAGPMA, and Yoshio Tanaka for the APGridPMA APGridPMA. The Common Source is hosted on the EUGridPMA CVS Repository, alongside the build tools.

Working with the CVS CA Repository

The CVS Repository is hosted at cvs.eugridpma.org at the Nikhef Data Processing facility in the secured services network (194.171.96.67). The CVS settings are

CVSROOT=:ext:username@cvs.eugridpma.org:/cvs/eugridpma
CVS_RSH=ssh

where username is the one assigned for ssh login (via cvs only!) to the TI for the PMA. The CVS repository contains two branches

  • CA repository carep/ hosting the trust anchors and the IGTF build tools
  • utilities provided by the IGTF, including the old (v2) fetch-crl, the LCG and EGI build tools, the PMA expiration-warning tool, and the GFD.125 compliance test suite

When working with the CA repository, make sure it remains consistent and secure, and periodically check for intrusions by comparing with a local trusted host. The typical work flow is:

  • go to your own secure build host
  • do a "cvs update -A -R -d ." in the carep/ directory
  • review manually any changes imported!
  • apply your own updates and carefully review them for compliance with the PMA status, GFD.125 and a valid signing_policy and namespaces file (for all accredited CAs)
  • update the CHANGES file in the top-level directory
  • do a "cvs commit" of the tree, checking if all changes made were found, and the CHANGES file updated

Build tools

Go to the carep/buildtools directory. Until at least mid-2012, we will build two formats of the IGTF distribution: a dual-hash OpenSSLv1 compliance version (with debian support), and a old-style single-hash version (without Debian support). Each of these formats uses its own build tool:

cabuild3.pl
dual-hash distribution with all formats. This is the version being actively developed and maintained, and any new formats or unit tests should be added here
cabuild.pl
single-hash old distribution for legacy/OSG/VOMS-Admin compatibility.

cabuild3

  • go to the buildtools/ directory
  • make sure the VERSION file has the correct version number (e.g. "1.99")
  • make sure the RPM signing key (keyID 3CDBBC71) is available and defined in the rpmmacros file. Insert the secure USB key from the safe in the build host
  • make sure an RPM build directory structure is available
  • run the build tool, with signing ("-s"), overwriting any previous content ("-f"), with Debian support ("--mkdeb"), and writing the distribution output to a directory ("-o dirname")
./cabuild3.pl --version=AUTO -s -f  -o ~/1.99 --mkdeb
  • give the passphrase
  • copy the new distribution to the preview or target web site
rsync -e ssh -rav --delete ~/1.99 webegp@weikuip:/project/srv/www/site/eugridpma-dist/html/distribution/tests/PMA-PRIVATE-PREVIEW/
  • remove the USB signing key from the build host and put it back in the safe (or bujild the legacy distro or EGI release now)

cabuild

  • build the new-style distribution first, to run the unit tests
  • run the old-build command, writing to a new directory ("-old")
./cabuild.pl --version=AUTO -s -f  -o ~/1.99-old
  • copy the new "old" distribution to the preview or target web site
rsync -e ssh -rav --delete ~/1.40-old webegp@weikuip:/project/srv/www/site/eugridpma-dist/html/distribution/tests/PMA-PRIVATE-PREVIEW/
  • remove the USB signing key from the build host and put it back in the safe (or bujild the legacy distro or EGI release now)

Signing keys

The IGTF uses the EUGridPMA Signing Key #3 for signing the distribution, RPMs and Debian repo files:

pub   1024D/3CDBBC71 2005-07-12
      Key fingerprint = D12E 9228 22BE 64D5 0146  188B C32D 99C8 3CDB BC71
uid                  EUGridPMA Distribution Signing Key 3 <info@eugridpma.org>

The RPM macros file should read:

%_topdir                /home/davidg/rpmbuild
%_tmppath               /home/davidg/rpmbuild/tmp
%_signature gpg
%_gpg_path /home/davidg/.gnupg/
%_gpg_name 3CDBBC71

where ~/.gnupg is a symlink to the USB mount point of the secure key, and the following directories must exist for rpmbuild to succeed

mkdir -p /home/davidg/rpmbuild/
mkdir -p /home/davidg/rpmbuild/SOURCES
mkdir -p /home/davidg/rpmbuild/SPECS
mkdir -p /home/davidg/rpmbuild/SRPMS
mkdir -p /home/davidg/rpmbuild/RPMS
mkdir -p /home/davidg/rpmbuild/RPMS/noarch
mkdir -p /home/davidg/rpmbuild/BUILD
mkdir -p /home/davidg/rpmbuild/tmp

Publication Repositories

EGI Interactions