Currently we're manually requesting releng to sign binaries during our upstream release processes for some of our projects. See e.g. https://pagure.io/releng/issue/10099. We'd like to replace that with an automated system which uses Robosignatory + fedmsgs.
In fact, the current org.fedoraproject.prod.coreos.artifacts-sign message mostly fits the bill and we could re-use it though it was originally designed for signing image artifacts in FCOS builds (e.g. there's the build_id field which Robosignatory uses to determine the signing key which we could hack up).
org.fedoraproject.prod.coreos.artifacts-sign
build_id
Overall, I think it'd be cleaner to have a separate message for this (possibly not even have it be a org.fedoraproject.prod.coreos topic since it seems like it shouldn't just be a CoreOS-specific thing). Though we can also hackily reuse the artifacts-sign message if preferred.
org.fedoraproject.prod.coreos
artifacts-sign
Thoughts?
I'm going to look at this, and will get back to you later.
Hey @puiterwijk, following up to see if there has been any progress or updates :smile:
We're still very interested in this, and probably willing to contribute a patch for it if there's overall agreement on whether such a feature is desirable.
@puiterwijk Any thoughts on this? Would you accept a patch which adds support for this?
Hey @jlebon , is this still relevant?
Hi @abompard, yes this is still relevant. We're still currently manually submitting releng tickets for signing release artifacts (recent example).
Cool! I can have a look at a PR if you want to submit one (as long as @puiterwijk is fine with this).
Login to comment on this ticket.