From Fedora Project Wiki

Revision as of 20:25, 24 August 2016 by Puiterwijk (talk | contribs) (initial stuff and atomic)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

This is a proposal for how to implement automatic signing of deliverables.

It all works around an autosign box, that has a configured sigul two-way secure passphrase, with a bit of code running inside the fedmsg-hub.

For the various deliverables, the ways of implementing follow:

RPM-OStree/Atomic

For RPM-OSTree, we would be adding a fedmsg after compose of atomic is done, together with the new checksum. We would also change the tag that atomic-composer attaches stuff to: in the treefile, we would change ref from fedora-atomic/24/x86_64/docker-host to fedora-atomic-candidate/24/x86_64/docker-host.

At that moment, the autosigner retrieves the commit object, puts that through sigul to get signed, and then updates the final tag to point to the new commit. This would mean that the current "fedora-atomic/24/x86_64/docker-host" tag is always signed.