The Fedora CoreOS team would like to pass our image and OSTree commit artifacts to the Fedora Infrastructure signing server so that they can be signed using the trusted setup designed by the Fedora Infrastructure team.
As part of this we will have OSTree commits that need to be signed as well as Fedora CoreOS image artifacts.
For the OSTree commits Fedora already knows how to sign these as it is already being done for Atomic Host, Silverblue and IoT. However, since the Fedora CoreOS build infrastructure is not currently inside of Fedora (currently in CentOS CI) we'll need to slightly modify the way the commit signatures are passed back to the FCOS build process so that it can then be embedded in the images during build.
See related ticket: https://github.com/coreos/fedora-coreos-tracker/issues/200
Work items:
For the Fedora CoreOS image artifacts we have established that we would like to sign the artifacts themselves and deliver a detached signature. For example fedora-coreos.iso would be delivered along with a fedora-coreos.iso.sig that could then be verified with gpg --verify. In a recent Fedora Infrastructure meeting it was determined that this proposal for signing artifacts directly and delivering detached signatures is feasible and should work fine with the existing signing server infrastructure.
fedora-coreos.iso
fedora-coreos.iso.sig
gpg --verify
That being said there is some work that needs to be done:
Members of the Fedora CoreOS team are willing to help work on the Fedora Infra pieces if given guidance. I think either robosig or sigul (can't remember which one) were said to be in the process of a rewrite and to hold off on sending patches for now.
cc @puiterwijk - please correct any mistatements above ^^
Ideally the artifacts wouldn't be publicly accessible at the time they are signed, so also:
@puiterwijk indicated in the Fedora Infrastructure meeting that this should be doable.
Metadata Update from @dustymabe: - Issue priority set to: Next Meeting (was: Needs Review)
We are planning to try to release the first preview of FCOS in early July, which is realistically before this project will be completed. We discussed this in the infra meeting today and it is possible that for the first release or two we can use a manual signing process (via ticket requests to infra) for the artifacts we'd like to release.
Obviously manual signing is not what either the coreos teams or the infra teams want so we both have incentive to close the gap as soon as we both can.
This work has been triaged and discussed with Sanja, and Leigh. There are some ongoing actions we need to wrap up first. We'll plan for the week of July 22 for the automation work, but we'll handle manual signing as needed until then.
thanks @jperrin
Just tagging myself here to reaffirm that we are committed to this as a priority, any issues just ping me on Google Chat preferably or IRC (lgriffin)
Metadata Update from @smooge: - Issue priority set to: Waiting on Assignee (was: Next Meeting)
Any updates? We can continue signing manually for now, but it'd be good to get this squared away.
I think this is mostly dependent on https://pagure.io/fedora-infrastructure/issue/7940 at this point and us actually implementing the code that sends signing requests via fedora-messaging and integrating it into our pipeline.
Any updates? We can continue signing manually for now, but it'd be good to get this squared away. I think this is mostly dependent on https://pagure.io/fedora-infrastructure/issue/7940 at this point and us actually implementing the code that sends signing requests via fedora-messaging and integrating it into our pipeline.
That is the FCOS team side of the proposal in the description, right? There are several fedora-infra pieces including some code changes to robosignatory that were listed out too. We'll need to work on both sides and then collaborate closely in to wire them up to each other I think.
@abompard can you confirm our side is done on this? That was my understanding.
Yes I think so, the Robosignatory bit has been written and merged: https://pagure.io/robosignatory/pull-request/25
wow. had no idea. @jlebon and I will review and work on integrated the pieces.
@dustymabe let me know if there is anything else you need from our team, if not, let's close this out and clear it off our backlog!
@lgriffin - we'll let you know early next week. We need to process this a bit and try to wire it up. Probably will be a bit of collaboration back and forth. @abompard are you around early next week in case we have issues or want to talk?
Just as a side note we still haven't deployed this version of robosignatory in stg or prod. This is something that we will need to do and plan.
@dustymabe yes I'll be around, feel free to ping me when you need me
Metadata Update from @dustymabe: - Issue assigned to abompard - Issue priority set to: Waiting on Reporter (was: Waiting on Assignee)
Awesome! Thanks for working on this.
Though AFAICT, it's only handling org.fedoraproject.prod.coreos.build.request.artifacts-sign, not org.fedoraproject.prod.coreos.build.request.ostree-sign, right? (See https://github.com/coreos/fedora-coreos-tracker/issues/198#issuecomment-513944390). We'll need that one too to actually be able to bake signed OSTree commits inside the image artifacts.
org.fedoraproject.prod.coreos.build.request.artifacts-sign
org.fedoraproject.prod.coreos.build.request.ostree-sign
@jlebon: you're correct, my bad, I've fixed it in this PR: robosignatory#32. Thanks.
ok, as far as I know this is done and now in prod and working?
Please reopen if there's anything further to do here.
:musical_score:
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Yes, this is all working now. :tada: Thanks again all!
Login to comment on this ticket.