Sigul Client Setup

This document describes how to configure a sigul client. For more information on sigul, please see User:Mitr

Prerequisites

  1. Install sigul and its dependencies. It is available in both Fedora and EPEL:

    On Fedora:

    dnf install sigul

    On RHEL/CentOS (Using EPEL):

    yum install sigul
  2. Ensure that your koji certificate and the Fedora CA certificates are present on the system you’re running the sigul client from at the following locations:

    • ~/.fedora.cert

    • ~/.fedora-server-ca.cert

    • ~/.fedora-upload-ca.cert

  3. Admin privileges on koji are required to write signatures.

Configuration

  1. Run sigul_setup_client

  2. Choose a password for your NSS database. By default this will be stored on-disk in ~/.sigul/client.conf.

  3. Choose an export password. You will only need to remember it until finishing sigul_setup_client.

  4. Enter the DB password you chose earlier, then the export password. You should see the message pk12util: PKCS12 IMPORT SUCCESSFUL

  5. Enter the DB password again. You should see the message Done.

  6. Assuming that you are running the sigul client within phx2, edit ~/.sigul/client.conf to include the following lines:

[client]
bridge-hostname: sign-bridge.phx2.fedoraproject.org
server-hostname: sign-vault.phx2.fedoraproject.org

Updating your Fedora certificate

When your Fedora certificate expires, after updating it run the following commands:

$ certutil -d ~/.sigul -D -n sigul-client-cert
$ sigul_setup_client