#7884 Project Proposal: Artifact signing for Fedora CoreOS
Opened 2 months ago by dustymabe. Modified a month ago

Artifact signing for Fedora CoreOS

The Fedora CoreOS team would like to pass our image and OSTree commit
artifacts to the Fedora Infrastructure signing server so that they
can be signed using the trusted setup designed by the Fedora
Infrastructure team.

As part of this we will have OSTree commits that need to be signed as
well as Fedora CoreOS image artifacts.

Signing OSTree commits:

For the OSTree commits Fedora already knows how to sign these as it
is already being done for Atomic Host, Silverblue and IoT. However,
since the Fedora CoreOS build infrastructure is not currently inside
of Fedora (currently in CentOS CI) we'll need to slightly modify the
way the commit signatures are passed back to the FCOS build process so
that it can then be embedded in the images during build.

See related ticket: https://github.com/coreos/fedora-coreos-tracker/issues/200

Work items:

  • FCOS team: write process for sending message that robosignatory can consume
  • Fedora Infra: develop ability for signing infra to accept/read the new message
  • Fedora Infra: develop ability for signing infra to accept commit and pass back signed commit

Signing Fedora CoreOS Image Artifacts

For the Fedora CoreOS image artifacts we have established
that we would like to sign the artifacts themselves and deliver a
detached signature. For example fedora-coreos.iso would be delivered
along with a fedora-coreos.iso.sig that could then be verified with
gpg --verify. In a recent Fedora Infrastructure meeting
it was determined that this proposal for signing artifacts directly
and delivering detached signatures is feasible and should work fine
with the existing signing server infrastructure.

That being said there is some work that needs to be done:

  • FCOS team: write process for sending message that robosignatory can consume
  • Fedora Infra: develop ability for signing infra to accept/read the new message
  • Fedora Infra: develop ability for signing infra to read artifact and pass back detached signature

Side Note

Members of the Fedora CoreOS team are willing to help work on the
Fedora Infra pieces if given guidance. I think either robosig or sigul
(can't remember which one) were said to be in the process of a rewrite
and to hold off on sending
patches for now.


cc @puiterwijk - please correct any mistatements above ^^

Ideally the artifacts wouldn't be publicly accessible at the time they are signed, so also:

  • Fedora Infra: develop ability for signing infra to perform authenticated fetches of S3 objects

@puiterwijk indicated in the Fedora Infrastructure meeting that this should be doable.

Metadata Update from @dustymabe:
- Issue priority set to: Next Meeting (was: Needs Review)

2 months ago

We are planning to try to release the first preview of FCOS in early July, which is realistically before this project will be completed. We discussed this in the infra meeting today and it is possible that for the first release or two we can use a manual signing process (via ticket requests to infra) for the artifacts we'd like to release.

Obviously manual signing is not what either the coreos teams or the infra teams want so we both have incentive to close the gap as soon as we both can.

This work has been triaged and discussed with Sanja, and Leigh. There are some ongoing actions we need to wrap up first. We'll plan for the week of July 22 for the automation work, but we'll handle manual signing as needed until then.

Just tagging myself here to reaffirm that we are committed to this as a priority, any issues just ping me on Google Chat preferably or IRC (lgriffin)

Metadata Update from @smooge:
- Issue priority set to: Waiting on Assignee (was: Next Meeting)

a month ago

Login to comment on this ticket.

Metadata