Expand description
§Siguldry
Siguldry is a replacement for Fedora’s software signing service, Sigul. It is heavily inspired by Sigul, but includes a few protocol changes based on how Sigul is currently used in Fedora, which is significantly different from how it was originally envisioned when Sigul was designed.
In addition to the protocol level change, Siguldry also supports a greatly reduced set of commands.
§Components
The service includes three components. The first part, the server, is responsible for keeping the signing keys safe and for servicing client requests for signatures. The server does not listen on any network interfaces and will only send outgoing TCP connections to the configured bridge.
The bridge is a proxy. It accepts connections from servers and clients, which are both authenticated using mutual TLS certificates, and then ferries client and server traffic between the two connections. This ensures only clients with valid TLS certificates can even initialize a connection to the server.
The final component is the client which lets users request signatures from the server. It is
recommended that end users make use of the libsiguldry_pkcs11.so PKCS#11 module provided by the
siguldry-pkcs11 crate for signing needs rather than using the client directly.
Additionally, this crate provides a legacy Sigul client that is compatible with version 1.2+.
§Crate features
By default, the server, bridge, and client for Siguldry along with their CLIs is built.
-
cli - Include the experimental Siguldry CLIs. This is a default feature.
-
server - Include the experimental Siguldry server APIs. This is a default feature.
-
sigul-client - Include the client compatible with Sigul 1.2. This is not enabled by default.