Contributors have write access to our source code- and package repositories, as well as our build server used for packaging. pacman is designed to use detached PGP signatures for package verification, thus we must sign our packages during the packaging process.
SSH key pair and agent
For generation of a SSH key pair, see this. The build system is designed to use your running ssh-agent and use the keys stored in it. If it can't find a running agent it will start one for you. It is, however, recommended that you have an ssh-agent running before entering the chroot. See this for more information.
GPG key pair and agent
For generation of a GPG key pair, see this. The build system is designed to use your running gpg-agent and query that agent for passphrases. gpg-agent can be set to automatically start when the socket is used. To start on boot:
Both should be green Active: active (listening) or Active: active (running). Since GnuPG 2.1 the sockets are created under $XDG_RUNTIME_DIR/gnupg/ (/run/user/$UID/gnupg) by default. If you set $GNUPGHOME the sockets will be located there. You can find out where your sockets are by running:
$ gpgconf --list-dirs
To get a working graphical signing mechanism, you need to configure GPG to use a GUI PIN-entry program instead of the default TUI-based (curses) program. Edit the file ~/.gnupg/gpg-agent.conf so that pinentry-program points to a GUI PIN-entry program such as /usr/bin/pinentry-qt:
This is the default value for Chakra. You can use gpg-agent acting as ssh-agent for graphical passphrase management. For further reading on this topic, see this.
Build system on a local host
The network looks like this: local host → container → rsync.chakralinux.org. Enter the chroot, there should be a message like this:
The network looks like this: local host → remote host → container → rsync.chakralinux.org. While you could store keys on the remote host, it is recommended that you forward the agent from your local host to the remote host. This means that you will be prompted to enter your passphrase on your local host when using the key on the remote host.
On local host
This requires OpenSSH >6.7 and GnuPG >2.1. It is recommended to forward gpg-agent-extra.socket instead of gpg-agent.socket:
$ systemctl --user start gpg-agent-extra.socket
In your ~/.ssh/config:
Host remote_host HostName example.com Port 22 User jsmith IdentityFile ~/.ssh/id_rsa ForwardAgent yes RemoteForward /run/user/<remote_host_uid>/gnupg/S.gpg-agent /run/user/<local_host_uid>/gnupg/S.gpg-agent.extra
During enter_chroot.sh, these messages should be displayed:
:: found /run/user/<local_host_uid>/gnupg/S.gpg-agent.extra, will bind it to container! :: found /home/<username>/.gnupg, will bind it to container! :: found /home/<username>/.ssh, will bind it to container!
Verify that you can decrypt the encrypted file:
$ gpg --decrypt encrypted_file
Copy your public keyring and the encrypted file to rsync.chakralinux.org: