I am looking for some help to generate SSL certificate for a project in my private OBS instance.
I tried following https://en.opensuse.org/openSUSE:Build_Service_Signer, but no luck.
You’ll probably have to describe your purpose and intended use.
Note that you asked for an SSL certificate whereas the article you referenced describes creating a GPG key for assets in your project which is pretty standard(You would not use an SSL certificate).
TSU
My mistake, I should have explained it earlier.
Our code uses that certificate for signing. I do not think I have an option to use GPG key as the code is designed and developed by someone else.
I am using OBS 2.10 version and by default, ssl certificate is not being created for the projects. Even when I try **osc signkey --create $project **command, its not getting generated
Please lemme know how should I generate an ssl for project
I’ve never heard that you can use a self-signed code for code signing.
I suppose like anything else you could generate your own certificate but I can’t see how anyone would accept it for validation.
All situations I’ve been a part of, or have worked with others require the certificate to be issued by a recognized Certificate Authority, you would submit a CSR including your requirements, and the certificate is issued to you.
TSU
I don’t mean self signed certificate. Below is what I meant.
https://photos.app.goo.gl/nMTf5jnZ2WUQrkqC6 https://photos.app.goo.gl/nMTf5jnZ2WUQrkqC6
How to get my project to generate SSL Cert?
I know I am sounding noob. I am new to OBS
I don’t build projects in OBS,
But
Principles are likely the same no matter what environment, keeping in mind environment-specific tools
Assuming that your screenshot is a tool that imports a certificate to sign your project, you should…
- Select a Certificate Authority service that supports code signing… Biggest CA on the Internet like Verisign and Thwaite are examples but any CA can be used as long as your clients (whoever installs your app) are set up to trust.
- Using the CA’s tools, submit a CSR that specifies your purpose (code signing)
- When the certificate is issued by your CA, copy and paste (or point to the file)the certificate info into the OBS import tool.
It’s usually as simple as that.
After you build some code, you can test to make sure your setup is correct.
The problem with creating your own certificate like what you’re describing is that no one will be set up to trust you as the entity that created your certificate, so Users will be prevented from installing your app. An example where you wouldn’t have to pay for and get a certificate from a commercial CA is if you’re building apps that will be run only within your company. You can then deploy your own CA (possibly tied to network security like LDAP so your CA is automatically trusted by the machines in your company), and then use the CSR process so that your CA can generate the certificate you need which would then be imported into the tool you use to build your apps. When your build tool has that certificate, then you can build any number of apps and machines in your network should trust the certificate used to sign your code and install without a problem.
TSU
Hi
You probably need to describe at which step from the above process the error is and also show the output of the errors/issues.
Note that what you’re describing here either requires you to trust the code signing by the original coder or you can simply disable the check altogether.
This doesn’t likely involve any tool to import a certificate because when you import a cert, you’re using it for the entire application whereas to use a code snippet from elsewhere is specific only to that code snippet… At least, that’s how I look at it.
Therefor,
If you really do want to do a signing check my guess is that it should be done manually and likely won’t require a few lines.
Otherwise, if you’re certain about the code integrity and don’t have to deal with a specification or regulation, I’d simply just use the code snippet without a check.
Repeating though that I don’t code using OBS,
So someone else may have another opinion. In fact, the following OBS documentation recommends a Discord room (and there is probably IRC) for OBS setup questions
TSU
TSU
Hi
That is NOT the Build Service link, that is obs-studio which are two completely different things, perhaps take a step back since you aren’t using the build service?
@OP, again what are the errors, you can also get help on IRC Freenode #opensuse-buildservice or the build service Mailing list;
openSUSE:Communication channels - openSUSE
Hi,
Error while building the signing packages are
136s] cat: debian/certs/obs.pem: No such file or directory
136s] dh_testdir\
54s] dh binary --with signobs
54s] create-stamp debian/debhelper-build-stamp
54s] dh_testroot
54s] dh_prep
54s] dh_signobs_unpack
54s] /usr/src/packages/BUILD/debian/signatures /usr/src/packages/BUILD
54s] 3 blocks
54s] certutil: unable to open “…/…/…/SOURCES/_projectcert.crt” for reading (-5950, 2).
54s] debian/rules:5: recipe for target ‘binary’ failed
54s] make: *** [binary] Error 255
54s] dpkg-buildpackage: error: fakeroot debian/rules binary gave error exit status 2
54s]
54s] obs failed “build grub2-signed-signed_2.1+signed.dsc” at Thu Jan 16 12:51:54 UTC 2020.
136s] cat: debian/certs/obs.pem: No such file or directory
136s] dh_testdir\
54s] dh binary --with signobs
54s] create-stamp debian/debhelper-build-stamp
54s] dh_testroot
54s] dh_prep
54s] dh_signobs_unpack
54s] /usr/src/packages/BUILD/debian/signatures /usr/src/packages/BUILD
54s] 3 blocks
54s] certutil: unable to open “…/…/…/SOURCES/_projectcert.crt” for reading (-5950, 2).
54s] debian/rules:5: recipe for target ‘binary’ failed
54s] make: *** [binary] Error 255
54s] dpkg-buildpackage: error: fakeroot debian/rules binary gave error exit status 2
54s]
54s] obs failed “build grub2-signed-signed_2.1+signed.dsc” at Thu Jan 16 12:51:54 UTC 2020.
Above are the errors I am getting while compiling & signing the packages.
I am compiling debian packages and yes, I have pesign-obs-integration (GitHub - openSUSE/pesign-obs-integration) as well.
I have sent mail to the list and also posted my issues in IRC as well. Unfortunately I have not received any replies yet.
I’m reasonably sure the missing file I highlighted in red is the cert that should be issued to you by the CA.
Everything else you posted appears to have resulted from the missing file.
Perhaps the question which should be asked first is how important is it for your code to be signed…
Because it has a substantial cost and would be used to sign any code written by anyone in the company, normally the company pays for it (I’m not aware of any FOSS that signs code using SSL certificates or any low cost ways for coders to obtain a certificate for non-Production use, like training).
If you are simply responsible for writing code but not for distributing, I’d recommend you don’t sign your code.
Signing can be left unconfigured until you actually intend to distribute the code to real world users.
Or, although I’ve never done so I guess you might sign code with a self-signed certificate generated by OpenSSL, but by doing so no one would be able to install your code except yourself.
TSU