AlmaLinux Build System Sing Node is designed to sign build packages.
Sign Node sends a request to the Web-Server and receives back a task to sign packages. The process to fulfill the task:
- Sign Node downloads packages that belong to the build from the Artifact Storage(PULP);
- Sign Node uses the PGP key to sign each package. Sign Node checks the PGP key each time, that it was imported correctly by checking the config file and node keys.
- Uploads a signed package back to the Artifact Storage(PULP).
- Sends the status to the Web-Server.
After the task is completed, a user will get a message task is completed. If there is no task for the Sign Node, a user will get a message no task to be signed.
Build System works with RPM packages, so to sign them python code emulates bash command rpmsign.
You can start the system using the Docker Compose tool.
Pre-requisites:
dockeranddocker-compose-plugintools are installed and set up;
To start the system, run the following command: docker compose up -d. To rebuild images after your local changes, just run docker compose up -d --build.
By default the sign node asks for each PGP key passphrase interactively at
startup (or uses dev_pgp_key_password in development mode). Instead, it can
fetch passphrases from a Bitwarden vault using
py-bitwarden-wrapper.
Requirements:
- The Bitwarden CLI (
bw) must be installed and onPATH. - For each keyid listed in
pgp_keys, create a Bitwarden login item whose name equals the keyid and whose password field holds the passphrase.
Enable it in the node config (sign_node.yml):
bitwarden_enabled: yes
bitwarden_username: signer@example.com
# Provide the master password via a file (preferred) ...
bitwarden_password_file: /run/secrets/bw_master
# ... or inline (less safe):
# bitwarden_password: "..."
# Optional: restrict the lookup to a single collection (real UUID only;
# omit to search the whole vault).
# bitwarden_collection_id: <uuid>When bitwarden_enabled is true, fetched passphrases take precedence over the
development password and interactive prompts. Startup fails fast if any keyid
is missing from the vault or its passphrase does not unlock the GPG key.
bitwarden-wrapper is not published on PyPI — it is installed directly from
GitHub via requirements.txt.
All issues should be reported to the Build System project.