Ensure OSTrees are signed with the right key

[jlebon]

This is a follow-up to #187.

There, we decided that we want OSTree commits signed with the primary key of the Fedora release from which the OSTree commit sourced its content.

There were some follow-up items from that:

1. we should check at build time that the commit was signed with the right key
2. we should make bumping the RoboSignatory config part of the SOP for bumping versions
3. we should consider teaching RoboSignatory the OSTree versioning scheme so (2) is not necessary

[jlebon]

we should make bumping the RoboSignatory config part of the SOP for bumping versions

I started an SOP in coreos/fedora-coreos-config#200 and included that there.

[dustymabe]

+1 for 3. It should be as simple as matching the first field (i.e. 32.20200416.1.0 is for Fedora 32)

[dustymabe]

+1 for 3. It should be as simple as matching the first field (i.e. 32.20200416.1.0 is for Fedora 32)

[dustymabe]

for 3 would this be as simple as matching against the first two digits of our version (the numbers before the first .)?

• 32.20200505.1.0 -> sign with f32 key
• 31.20200420.3.0 -> sign with f31 key

[jlebon]

for 3 would this be as simple as matching against the first two digits of our version (the numbers before the first .)?

Yes, I think so. I guess we could also make it part of the message so that RoboSignatory doesn't have to learn our versioning scheme. But it's not like we're going to change it very often either.

[dustymabe]

Proposed fix: https://pagure.io/robosignatory/pull-request/46#

[dustymabe]

I already ran the stable build (last f31) so a stopgap until we can get https://pagure.io/robosignatory/pull-request/46# merged is https://pagure.io/fedora-infra/ansible/pull-request/102, which was merged. I'm running a testing-devel now to confirm it gets signed with the right key.

[dustymabe]

The signing seemed to sign with the Fedora 32 key. The OSTree commit:

$ sudo rpm-ostree status 
State: idle
Deployments:
  ostree://fedora-compose:fedora/x86_64/coreos/testing-devel
                   Version: 32.20200531.20.0 (2020-06-01T21:01:28Z)
                    Commit: d6413f393bfceb413232c290ac8ab3a5420bd7db0a2e41fed19e8495947cc8d9
              GPGSignature: Valid signature by 97A1AE57C3A2372CCA3A4ABA6C13026D12C944D0
                      Diff: 355 upgraded, 1 downgraded, 6 removed, 5 added

● ostree://fedora:fedora/x86_64/coreos/testing
                   Version: 31.20200517.2.0 (2020-05-19T10:24:32Z)
                    Commit: 5c3f8198e72a05adab4eb7d087ef3a625008dcc73bd0416a444cdce084278587
              GPGSignature: Valid signature by 7D22D5867F2A4236474BF7B850CB390B3C3359C4

  ostree://fedora:fedora/x86_64/coreos/testing
                   Version: 31.20200505.2.1 (2020-05-13T23:33:50Z)
                    Commit: a047a3c97511d242bab1a9c136debcf1cf47981bea9deb7affa38fb202dae0b3
              GPGSignature: Valid signature by 7D22D5867F2A4236474BF7B850CB390B3C3359C4

and the artifacts:

$ gpg2 --verify fedora-coreos-32.20200531.20.0-qemu.x86_64.qcow2.xz.sig
gpg: assuming signed data in 'fedora-coreos-32.20200531.20.0-qemu.x86_64.qcow2.xz'
gpg: Signature made Mon Jun  1 18:42:47 2020 EDT
gpg:                using RSA key 6C13026D12C944D0
gpg: Good signature from "Fedora (32) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 97A1 AE57 C3A2 372C CA3A  4ABA 6C13 026D 12C9 44D0

[dustymabe]

This work is now complete! See https://pagure.io/fedora-infrastructure/issue/8962

[jlebon]

Nice work on this Dusty! Follow-ups to this in coreos/fedora-coreos-config#487 and coreos/coreos-assembler#1552 (for 1.).