Learn more about these different git repos.
Other Git URLs
RoboSignatory recently gained support for signing OSTree commits and artifacts via fedora-messaging. This is to enable automated signing for Fedora CoreOS.
We would like the signing key to be the primary Fedora one corresponding to the version on which FCOS currently sits. So right now, that's the fedora-30 key.
fedora-30
Of course, once FCOS switches to f31 shortly after GA, we'll want to move to fedora-31 as well. One suggestion there is to teach RoboSignatory to derive the right signing key from the OSTree commit version. But that's something we can work on later (in the worst case, bumping a config every 6 months isn't that bad).
fedora-31
This request is just for switching the RoboSignatory config to use the fedora-30 key.
Soon. :)
Never
We'd have to sign with a dedicated FCOS key, increasing maintenance load and complexity.
IIUC, the actual patch for this is trivial:
diff --git a/roles/robosignatory/templates/robosignatory.toml.j2 b/roles/robosignatory/templates/robosignatory.toml.j2 index dd2ca2578..b2e1e2d78 100644 --- a/roles/robosignatory/templates/robosignatory.toml.j2 +++ b/roles/robosignatory/templates/robosignatory.toml.j2 @@ -450,7 +450,7 @@ handlers = ["console"] [consumer_config.coreos] bucket = "fcos-builds" - key = "coreos" + key = "fedora-30" [consumer_config.coreos.aws] access_key = "{{ fcos_builds_releng_aws_access_id }}"
But before doing that, we want to make sure everyone is in agreement.
I am +:100: to this change
It's going to take a freeze break if we want to do this now... or can it wait until after f31 release?
This is fixed now, thanks all!
Metadata Update from @jlebon: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.