help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

update.conf with GnuPG verified config files


From: Russell Adams
Subject: update.conf with GnuPG verified config files
Date: Thu, 11 Dec 2003 19:28:28 -0600
User-agent: Mutt/1.4i

Attached is an update.conf I've written and used the past few months
with cfengine to distribute my configs.

At this stage, its still quite noisy, however it works reliably.

It uses wget to fetch the config files from a "Gold" server to a local
cache, then verifies the GnuPG signatures for each file with a known
administrator public key.

I created this because I couldn't in good conscience open up
additional ports to support a new file transfer protocol, and I felt I
had to verify the downloaded config files before putting them to
use. This prevents a "Gold" server compromise from distributing bad /
altered configs and also corrects for download errors (a half of a
config file will not pass a signature check).

Use "gpg -ab config.conf" to sign a config. Pay attention to the note
about having the administrator key in a keyring in /etc.

Feedback is appreciated.

To move ahead with this concept, I'm considering moving the download
stage to external modules (shell scripts) where I use rsync or wget to
maintain a local cache of the files from the "Gold" server.

Also a minor feature request: filters should be applied after
include/exclude lists. Part of the noise here is where the .asc
(signature) files are having their signatures checked. ;]

Russell

Attachment: update.conf
Description: Text document


reply via email to

[Prev in Thread] Current Thread [Next in Thread]