From d86374f3605c745200a0cd9a710872dee77a60e0 Mon Sep 17 00:00:00 2001
From: Matt Prahl <mprahl@redhat.com>
Date: Fri, 23 Sep 2016 10:51:38 -0400
Subject: [PATCH] Add documentation on how to setup fedmsg signing in
 development

---
 README.rst       | 24 ++++++++++++++++++++++++
 fedmsg.d/rida.py | 17 +++++++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/README.rst b/README.rst
index a1879cf7..38cde04a 100644
--- a/README.rst
+++ b/README.rst
@@ -395,3 +395,27 @@ It may happen that you will run into issues and the container won't start proper
     $ sudo docker-compose build --no-cache --pull
 
 First command will stop and remove all containers and volumes and second command will pull latest base image and perform a clean build without cache.
+
+
+``fedmsg Signing for Development``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In order to enable fedmsg signing in development, you will need to follow a series of steps.
+Note that this will conflict with signed messages from a different CA that are on the message bus, so this may cause unexpected results.
+
+Generate the CA, the certificate to be used by fedmsg, and the CRL with::
+
+    $ python manage.py gendevfedmsgcert
+
+Setup Apache to host the CRL::
+
+    $ dnf install httpd && systemctl enable httpd && systemctl start httpd
+    $ mkdir -p /var/www/html/crl
+    $ ln -s /opt/fm-orchestrator/pki/ca.crl /var/www/html/crl/ca.crl
+    $ ln -s /opt/fm-orchestrator/pki/ca.crt /var/www/html/crl/ca.crt
+
+Create a directory to house the fedmsg cache::
+
+    $ mkdir -p /etc/pki/fedmsg
+
+Then uncomment the fedmsg signing configuration in fedmsg.d/rida.py.
diff --git a/fedmsg.d/rida.py b/fedmsg.d/rida.py
index da06b44b..d588f24f 100644
--- a/fedmsg.d/rida.py
+++ b/fedmsg.d/rida.py
@@ -8,4 +8,21 @@ config = {
             "tcp://127.0.0.1:300%i" % i for i in range(10)
         ],
     },
+
+    # Start of code signing configuration
+    # 'sign_messages': True,
+    # 'validate_signatures': True,
+    # 'crypto_backend': 'x509',
+    # 'crypto_validate_backends': ['x509'],
+    # 'ssldir': '/opt/fm-orchestrator/pki',
+    # 'crl_location': 'http://localhost/crl/ca.crl',
+    # 'crl_cache': '/etc/pki/fedmsg/crl.pem',
+    # 'crl_cache_expiry': 10,
+    # 'ca_cert_location': 'http://localhost/crl/ca.crt',
+    # 'ca_cert_cache': '/etc/pki/fedmsg/ca.crt',
+    # 'ca_cert_cache_expiry': 0,  # Never expires
+    # 'certnames': {
+    #     'rida.localhost': 'localhost'
+    # }
+    # End of code signing configuration
 }