-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure OSTrees are signed with the right key #296
Comments
I started an SOP in coreos/fedora-coreos-config#200 and included that there. |
+1 for |
1 similar comment
+1 for |
for
|
Yes, I think so. I guess we could also make it part of the message so that RoboSignatory doesn't have to learn our versioning scheme. But it's not like we're going to change it very often either. |
Proposed fix: https://pagure.io/robosignatory/pull-request/46# |
I already ran the stable build (last f31) so a stopgap until we can get https://pagure.io/robosignatory/pull-request/46# merged is https://pagure.io/fedora-infra/ansible/pull-request/102, which was merged. I'm running a |
The signing seemed to sign with the Fedora 32 key. The OSTree commit:
and the artifacts:
|
This work is now complete! See https://pagure.io/fedora-infrastructure/issue/8962 |
RoboSignatory knows how to do this now: coreos/fedora-coreos-tracker#296
RoboSignatory knows how to do this now: https://pagure.io/robosignatory/pull-request/46 See also: coreos/fedora-coreos-tracker#296
Now that RoboSignatory knows to auto-select the right GPG key to use for signing, we can be more strict here when verifying signatures and use the specific key matching the release version. See also: coreos/fedora-coreos-tracker#296
Nice work on this Dusty! Follow-ups to this in coreos/fedora-coreos-config#487 and coreos/coreos-assembler#1552 (for 1.). |
RoboSignatory knows how to do this now: https://pagure.io/robosignatory/pull-request/46 See also: coreos/fedora-coreos-tracker#296
Now that RoboSignatory knows to auto-select the right GPG key to use for signing, we can be more strict here when verifying signatures and use the specific key matching the release version. See also: coreos/fedora-coreos-tracker#296
Now that RoboSignatory knows to auto-select the right GPG key to use for signing, we can be more strict here when verifying signatures and use the specific key matching the release version. See also: coreos/fedora-coreos-tracker#296
This is a follow-up to #187.
There, we decided that we want OSTree commits signed with the primary key of the Fedora release from which the OSTree commit sourced its content.
There were some follow-up items from that:
The text was updated successfully, but these errors were encountered: