#7884 Project Proposal: Artifact signing for Fedora CoreOS
Opened 4 months ago by dustymabe. Modified a month ago

Artifact signing for Fedora CoreOS

The Fedora CoreOS team would like to pass our image and OSTree commit
artifacts to the Fedora Infrastructure signing server so that they
can be signed using the trusted setup designed by the Fedora
Infrastructure team.

As part of this we will have OSTree commits that need to be signed as
well as Fedora CoreOS image artifacts.

Signing OSTree commits:

For the OSTree commits Fedora already knows how to sign these as it
is already being done for Atomic Host, Silverblue and IoT. However,
since the Fedora CoreOS build infrastructure is not currently inside
of Fedora (currently in CentOS CI) we'll need to slightly modify the
way the commit signatures are passed back to the FCOS build process so
that it can then be embedded in the images during build.

See related ticket: https://github.com/coreos/fedora-coreos-tracker/issues/200

Work items:

  • FCOS team: write process for sending message that robosignatory can consume
  • Fedora Infra: develop ability for signing infra to accept/read the new message
  • Fedora Infra: develop ability for signing infra to accept commit and pass back signed commit

Signing Fedora CoreOS Image Artifacts

For the Fedora CoreOS image artifacts we have established
that we would like to sign the artifacts themselves and deliver a
detached signature. For example fedora-coreos.iso would be delivered
along with a fedora-coreos.iso.sig that could then be verified with
gpg --verify. In a recent Fedora Infrastructure meeting
it was determined that this proposal for signing artifacts directly
and delivering detached signatures is feasible and should work fine
with the existing signing server infrastructure.

That being said there is some work that needs to be done:

  • FCOS team: write process for sending message that robosignatory can consume
  • Fedora Infra: develop ability for signing infra to accept/read the new message
  • Fedora Infra: develop ability for signing infra to read artifact and pass back detached signature

Side Note

Members of the Fedora CoreOS team are willing to help work on the
Fedora Infra pieces if given guidance. I think either robosig or sigul
(can't remember which one) were said to be in the process of a rewrite
and to hold off on sending
patches for now.


cc @puiterwijk - please correct any mistatements above ^^

Ideally the artifacts wouldn't be publicly accessible at the time they are signed, so also:

  • Fedora Infra: develop ability for signing infra to perform authenticated fetches of S3 objects

@puiterwijk indicated in the Fedora Infrastructure meeting that this should be doable.

Metadata Update from @dustymabe:
- Issue priority set to: Next Meeting (was: Needs Review)

4 months ago

We are planning to try to release the first preview of FCOS in early July, which is realistically before this project will be completed. We discussed this in the infra meeting today and it is possible that for the first release or two we can use a manual signing process (via ticket requests to infra) for the artifacts we'd like to release.

Obviously manual signing is not what either the coreos teams or the infra teams want so we both have incentive to close the gap as soon as we both can.

This work has been triaged and discussed with Sanja, and Leigh. There are some ongoing actions we need to wrap up first. We'll plan for the week of July 22 for the automation work, but we'll handle manual signing as needed until then.

Just tagging myself here to reaffirm that we are committed to this as a priority, any issues just ping me on Google Chat preferably or IRC (lgriffin)

Metadata Update from @smooge:
- Issue priority set to: Waiting on Assignee (was: Next Meeting)

3 months ago

Any updates? We can continue signing manually for now, but it'd be good to get this squared away.

Any updates? We can continue signing manually for now, but it'd be good to get this squared away.

I think this is mostly dependent on https://pagure.io/fedora-infrastructure/issue/7940 at this point and us actually implementing the code that sends signing requests via fedora-messaging and integrating it into our pipeline.

Any updates? We can continue signing manually for now, but it'd be good to get this squared away.

I think this is mostly dependent on https://pagure.io/fedora-infrastructure/issue/7940 at this point and us actually implementing the code that sends signing requests via fedora-messaging and integrating it into our pipeline.

That is the FCOS team side of the proposal in the description, right? There are several fedora-infra pieces including some code changes to robosignatory that were listed out too. We'll need to work on both sides and then collaborate closely in to wire them up to each other I think.

@abompard can you confirm our side is done on this? That was my understanding.

Yes I think so, the Robosignatory bit has been written and merged:
https://pagure.io/robosignatory/pull-request/25

Yes I think so, the Robosignatory bit has been written and merged:
https://pagure.io/robosignatory/pull-request/25

wow. had no idea. @jlebon and I will review and work on integrated the pieces.

@dustymabe let me know if there is anything else you need from our team, if not, let's close this out and clear it off our backlog!

@lgriffin - we'll let you know early next week. We need to process this a bit and try to wire it up. Probably will be a bit of collaboration back and forth. @abompard are you around early next week in case we have issues or want to talk?

Just as a side note we still haven't deployed this version of robosignatory in stg or prod. This is something that we will need to do and plan.

@dustymabe yes I'll be around, feel free to ping me when you need me

Metadata Update from @dustymabe:
- Issue assigned to abompard
- Issue priority set to: Waiting on Reporter (was: Waiting on Assignee)

a month ago

Yes I think so, the Robosignatory bit has been written and merged:
https://pagure.io/robosignatory/pull-request/25

Awesome! Thanks for working on this.

Though AFAICT, it's only handling org.fedoraproject.prod.coreos.build.request.artifacts-sign, not org.fedoraproject.prod.coreos.build.request.ostree-sign, right? (See https://github.com/coreos/fedora-coreos-tracker/issues/198#issuecomment-513944390). We'll need that one too to actually be able to bake signed OSTree commits inside the image artifacts.

@jlebon: you're correct, my bad, I've fixed it in this PR: robosignatory#32. Thanks.

Login to comment on this ticket.

Metadata