sign.conf - Man Page
sign and signd configuration file
Synopsis
/etc/sign.conf
Description
This file holds the configuration both for the sign program and the signd daemon. Each line in the file has the format "key: value [value...]". Empty lines or lines starting with "#" are ignored.
The following keys are recognized:
- server: hostname
Forward all requests with unknown signing users to the specified server.
- port: port
Use the specified port number instead of the default port "5167".
- proto: unprotected|ssl
Set the protection protocol to secure the connection to the sign server. The default is to use an unprotected connection.
- user: user
Set a default user to use for signing.
- hash: hash
Set a default hash to use for signing. The default hash is SHA1 for compatibility reasons.
- allow: ip
- allow: subnet
- allow: hostname
Allow only connections from the specified ip addresses, subnets expressed in CIDR notation, and/or hostnames. Note that hostnames are resolved using reverse DNS lookups, so there must be reverse entries in the DNS server, and it should be secured against DNS poisoning attacks. All request are rejected if the allow list is empty.
- gpg: path_to_gpg
Select the gpg program to use instead of "/usr/bin/gpg".
- phrases: phrases_directory
Set the directory containing gpg phrases for every user. A phrase file is fed into gpg with the "--passphrase-fd=0" option.
- map: [hash:]from_signuser to_signuser
Modify the signuser. This can be used to map hashes and users to unambiguous key ids.
- allowuser: username|uid
Grant the user the right to sign. The sign binary must be installed as suid-root binary for this to work. Multiple users can be specified by using multiple allowuser lines in the configuration.
- allow-unprivileged-ports: true|false
Allow signd to accept connections from source ports > 1024. Defaults to false.
- use-unprivileged-ports: true|false
Use a source port > 1024 when connecting to the signd server. Defaults to false.
- logfile: filename
Log requests to the specified filename instead of stdout.
- gnupghome: dirname
Configures the directory for gpg to use by setting the GNUPGHOME environment variable.
- use-agent: true|false
Make signd directly talk to the gpg-agent for signing instead of calling gpg. If the gpg command does not implement the --files-are-digest parameter, this option always falls back to true.
- keycache: dirname
Cache the result of finding the signing key for a username. This is only done if the gpg-agent is used for signing. The cache is automatically invalidated if there is a change in the gpg keyring.
- agentsocket: socketpath [socketpath...]
Specify the location of the gpg agent socket. It is possible to specify more than one location, as gpg uses different socket directories depending on if the user is logged in or not. As a fallback, signd will call "gpgconf --list-dirs" to find the current location of the agent socket.
- ssl_certfile: path
- ssl_keyfile: path
Specify the certificate and the corresponding private key for ssl client certification.
- ssl_verifyfile: path
- ssl_verifydir: dirpath
Specify the ca locations used to verify the certificate of the server. If neither a verifydir nor a verifyfile is configured, the default ca locations are used.
- proxyport: port
- proxyproto: unprotected|ssl
- proxyssl_certfile: path
- proxyssl_keyfile: path
- proxyssl_verifyfile: path
- proxyssl_verifydir: dirpath
Configure the setting for incoming requests. The corresponding value for outgoing requests is used if a key has not been set. The keyfile/certfile specifies the server certificate, the verifydir/verifyfile configures the ca locations to verify the client certificate. Note that incoming requests with no client certificate are rejected.
- allow_subject: x509_subject
- allow_subject: /x509_subject_regex/
Allow only requests that have a verified client certificate with a subject that matches one of the specified values. The X509 subject is converted to a string as specified in RFC-2253 before doing a match. If the allow_subject list is empty, no check is done on the X509 subject but the certificate is still verified.
Files
/etc/sign.conf