The Fedora CoreOS team would like to pass our image and OSTree commit
artifacts to the Fedora Infrastructure signing server so that they
can be signed using the trusted setup designed by the Fedora
As part of this we will have OSTree commits that need to be signed as
well as Fedora CoreOS image artifacts.
For the OSTree commits Fedora already knows how to sign these as it
is already being done for Atomic Host, Silverblue and IoT. However,
since the Fedora CoreOS build infrastructure is not currently inside
of Fedora (currently in CentOS CI) we'll need to slightly modify the
way the commit signatures are passed back to the FCOS build process so
that it can then be embedded in the images during build.
See related ticket: https://github.com/coreos/fedora-coreos-tracker/issues/200
For the Fedora CoreOS image artifacts we have established
that we would like to sign the artifacts themselves and deliver a
detached signature. For example fedora-coreos.iso would be delivered
along with a fedora-coreos.iso.sig that could then be verified with
gpg --verify. In a recent Fedora Infrastructure meeting
it was determined that this proposal for signing artifacts directly
and delivering detached signatures is feasible and should work fine
with the existing signing server infrastructure.
That being said there is some work that needs to be done:
Members of the Fedora CoreOS team are willing to help work on the
Fedora Infra pieces if given guidance. I think either robosig or sigul
(can't remember which one) were said to be in the process of a rewrite
and to hold off on sending
patches for now.
cc @puiterwijk - please correct any mistatements above ^^
Ideally the artifacts wouldn't be publicly accessible at the time they are signed, so also:
@puiterwijk indicated in the Fedora Infrastructure meeting that this should be doable.
Metadata Update from @dustymabe:
- Issue priority set to: Next Meeting (was: Needs Review)
We are planning to try to release the first preview of FCOS in early July, which is realistically before this project will be completed. We discussed this in the infra meeting today and it is possible that for the first release or two we can use a manual signing process (via ticket requests to infra) for the artifacts we'd like to release.
Obviously manual signing is not what either the coreos teams or the infra teams want so we both have incentive to close the gap as soon as we both can.
This work has been triaged and discussed with Sanja, and Leigh. There are some ongoing actions we need to wrap up first. We'll plan for the week of July 22 for the automation work, but we'll handle manual signing as needed until then.
Just tagging myself here to reaffirm that we are committed to this as a priority, any issues just ping me on Google Chat preferably or IRC (lgriffin)
Metadata Update from @smooge:
- Issue priority set to: Waiting on Assignee (was: Next Meeting)
to comment on this ticket.