Puiterwijk (talk | contribs) (initial stuff and atomic) |
Puiterwijk (talk | contribs) (updates pushes) |
||
Line 11: | Line 11: | ||
At that moment, the autosigner retrieves the commit object, puts that through sigul to get signed, and then updates the final tag to point to the new commit. | At that moment, the autosigner retrieves the commit object, puts that through sigul to get signed, and then updates the final tag to point to the new commit. | ||
This would mean that the current "fedora-atomic/24/x86_64/docker-host" tag is always signed. | This would mean that the current "fedora-atomic/24/x86_64/docker-host" tag is always signed. | ||
== Bodhi pushes == | |||
Currently, bodhi-push sends a [https://github.com/fedora-infra/bodhi/blob/develop/bodhi/push.py#L125 masher.start] fedmsg message, which gets it to push everything out. | |||
Instead, we could send an autosign.request message, which triggers the autosigning box to sign everything in the updates= field, after which it fires off the masher.start message. |
Revision as of 20:29, 24 August 2016
This is a proposal for how to implement automatic signing of deliverables.
It all works around an autosign box, that has a configured sigul two-way secure passphrase, with a bit of code running inside the fedmsg-hub.
For the various deliverables, the ways of implementing follow:
RPM-OStree/Atomic
For RPM-OSTree, we would be adding a fedmsg after compose of atomic is done, together with the new checksum. We would also change the tag that atomic-composer attaches stuff to: in the treefile, we would change ref from fedora-atomic/24/x86_64/docker-host to fedora-atomic-candidate/24/x86_64/docker-host.
At that moment, the autosigner retrieves the commit object, puts that through sigul to get signed, and then updates the final tag to point to the new commit. This would mean that the current "fedora-atomic/24/x86_64/docker-host" tag is always signed.
Bodhi pushes
Currently, bodhi-push sends a masher.start fedmsg message, which gets it to push everything out. Instead, we could send an autosign.request message, which triggers the autosigning box to sign everything in the updates= field, after which it fires off the masher.start message.