From Fedora Project Wiki

Revision as of 09:10, 25 August 2016 by Puiterwijk (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

This is a proposal for how to implement automatic signing of deliverables.

It all works around an autosign box, that has a configured sigul two-way secure passphrase, with a bit of code running inside the fedmsg-hub.

two-way secure passphrase means that the passphrase that is used for automatic signing is tied to the hardware of both the sigul vault and the autosigning box. For this, a local TPM and/or a local yubikey are used to encrypt the passphrase, so that if the hardware it's tied to is removed or not available, the passphrase becomes unusable. This protects the passphrases from being used anywhere else than on the dedicated machines.

For the various deliverables, the ways of implementing follow:

RPM-OStree/Atomic

For RPM-OSTree, we would be adding a fedmsg notification after compose of atomic is done to initiate signing, together with the new checksum. The atomic compose would be changed to output the compose to a new candidate tag, once the atomic compose is signed by the autosigner the output would be tagged to fedora-atomic/24/x86_64/docker-host.

At that moment, the autosigner retrieves the commit object, puts that through sigul to get signed, and then updates the final tag to point to the new commit. This would mean that the current "fedora-atomic/24/x86_64/docker-host" tag is always signed.


Bodhi pushes

Currently, bodhi-push sends a masher.start fedmsg message, which gets it to push everything out. Instead, we could send an autosign.request message, which triggers the autosigning box to sign everything in the updates= field, after which it fires off the masher.start message.


Rawhide

Rawhide doesn't go through bodhi. What we could instead do is make a separate rawhide-candidate tag, and have the autosigner listen for build.tag messages for rawhide. As soon as a build gets tagged into rawhide-candidate, it could sign it and then move it to the rawhide tag.