sign.conf - Man Page

/etc/sign.conf

This file holds the configuration both for the sign program and the signd daemon. Each line in the file has the format "key: value [value...]". Empty lines or lines starting with "#" are ignored.

The following keys are recognized:

server: hostname

Forward all requests with unknown signing users to the specified server.

port: port

Use the specified port number instead of the default port "5167".

proto: unprotected|ssl

Set the protection protocol to secure the connection to the sign server. The default is to use an unprotected connection.

user: user

Set a default user to use for signing.

hash: hash

Set a default hash to use for signing. The default hash is SHA1 for compatibility reasons.

allow: ip

allow: subnet

allow: hostname

Allow only connections from the specified ip addresses, subnets expressed in CIDR notation, and/or hostnames. Note that hostnames are resolved using reverse DNS lookups, so there must be reverse entries in the DNS server, and it should be secured against DNS poisoning attacks. All request are rejected if the allow list is empty.

gpg: path_to_gpg

Select the gpg program to use instead of "/usr/bin/gpg".

phrases: phrases_directory

Set the directory containing gpg phrases for every user. A phrase file is fed into gpg with the "--passphrase-fd=0" option.

map: [hash:]from_signuser to_signuser

Modify the signuser. This can be used to map hashes and users to unambiguous key ids.

allowuser: username|uid

Grant the user the right to sign. The sign binary must be installed as suid-root binary for this to work. Multiple users can be specified by using multiple allowuser lines in the configuration.

allow-unprivileged-ports: true|false

Allow signd to accept connections from source ports > 1024. Defaults to false.

use-unprivileged-ports: true|false

Use a source port > 1024 when connecting to the signd server. Defaults to false.

logfile: filename

Log requests to the specified filename instead of stdout.

gnupghome: dirname

Configures the directory for gpg to use by setting the GNUPGHOME environment variable.

use-agent: true|false

Make signd directly talk to the gpg-agent for signing instead of calling gpg. If the gpg command does not implement the --files-are-digest parameter, this option always falls back to true.

keycache: dirname

Cache the result of finding the signing key for a username. This is only done if the gpg-agent is used for signing. The cache is automatically invalidated if there is a change in the gpg keyring.

agentsocket: socketpath [socketpath...]

Specify the location of the gpg agent socket. It is possible to specify more than one location, as gpg uses different socket directories depending on if the user is logged in or not. As a fallback, signd will call "gpgconf --list-dirs" to find the current location of the agent socket.

ssl_certfile: path

ssl_keyfile: path

Specify the certificate and the corresponding private key for ssl client certification.

ssl_verifyfile: path

ssl_verifydir: dirpath

Specify the ca locations used to verify the certificate of the server. If neither a verifydir nor a verifyfile is configured, the default ca locations are used.

proxyport: port

proxyproto: unprotected|ssl

proxyssl_certfile: path

proxyssl_keyfile: path

proxyssl_verifyfile: path

proxyssl_verifydir: dirpath

Configure the setting for incoming requests. The corresponding value for outgoing requests is used if a key has not been set. The keyfile/certfile specifies the server certificate, the verifydir/verifyfile configures the ca locations to verify the client certificate. Note that incoming requests with no client certificate are rejected.

allow_subject: x509_subject

allow_subject: /x509_subject_regex/

Allow only requests that have a verified client certificate with a subject that matches one of the specified values. The X509 subject is converted to a string as specified in RFC-2253 before doing a match. If the allow_subject list is empty, no check is done on the X509 subject but the certificate is still verified.

/etc/sign.conf

sign(8), signd(8)

sign(8), signd(8).