You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Better, more simple (and stateless) alternatives for the "sign an artifact" use-case exist with Stateless OpenPGP (SOP). With rsop we even have a SOP implementation with smartcard support!
To that end, it would be great to extend the signing capabilities in mkosi by allowing to set a specific OpenPGP implementation (e.g. using an OpenPGPTool / --openpgp-tool option in the [Validation] section).
The Key option would then need to support setting either an OpenPGP fingerprint (in the case of gpg) or a path to a key (or certificate) in the case of SOP implementations.
Additionally, it would be good to rename the currently used options in the [Validation] section: Sign to OpenPGPSign and Key to OpenPGPKey (that way one could use several signing schemes in parallel, e.g. the ones discussed in #624).
Closing, I would like to add, that .gpg is not a good signature suffix for OpenPGP signatures (e.g. .sig might be better as it is not OpenPGP implementation specific and indicates that it is a signature and not possibly a certificate or a keyring, etc.), but I guess that is currently somewhat fixed due to how sysupdate.d expects it. 🥲
Used mkosi config
[Output]Format=disk
SplitArtifacts=yes
[Content]Bootable=yes
Bootloader=systemd-boot
Hostname=arch
Packages=
base
linux
nftables
openssh
systemd
UnifiedKernelImageFormat=%i-%v+&c
UnifiedKernelImages=yes
[Distribution]Architecture=x86-64
Distribution=arch
[Host]RuntimeScratch=no
RuntimeSize=12G
[Validation]Checksum=yes
Key=<my-key-fingerprint>
Sign=yes
mkosi output
‣ Signing SHA256SUMS…
gpg: using "991F6E3F0765CF6295888586139B09DA5BF0D338" as default secret key for signing
The text was updated successfully, but these errors were encountered:
I think this is a separate issue. SOP produces OpenPGP artifacts so systemd may verify it just fine with their existing gpg setup. Minisign would require changes on both ends.
I'm not saying it's a bad idea... just a little bit more complex.
wiktor-k
added a commit
to wiktor-k/mkosi
that referenced
this issue
Sep 30, 2024
mkosi commit the issue has been seen with
baab5c5
Used host distribution
Arch Linux
Used target distribution
Arch Linux
Linux kernel version used
6.10.10-arch1-1
CPU architectures issue was seen on
x86_64
Unexpected behaviour you saw
Currently it is only possible to sign the SHA256SUMS file using
gpg
.However, gnupg is a complex thing to get working properly (see #3040) and also starts to diverge from OpenPGP compatibility in >=2.4.
Better, more simple (and stateless) alternatives for the "sign an artifact" use-case exist with Stateless OpenPGP (SOP). With
rsop
we even have a SOP implementation with smartcard support!To that end, it would be great to extend the signing capabilities in mkosi by allowing to set a specific OpenPGP implementation (e.g. using an
OpenPGPTool
/--openpgp-tool
option in the[Validation]
section).The
Key
option would then need to support setting either an OpenPGP fingerprint (in the case ofgpg
) or a path to a key (or certificate) in the case of SOP implementations.Additionally, it would be good to rename the currently used options in the
[Validation]
section:Sign
toOpenPGPSign
andKey
toOpenPGPKey
(that way one could use several signing schemes in parallel, e.g. the ones discussed in #624).Closing, I would like to add, that
.gpg
is not a good signature suffix for OpenPGP signatures (e.g..sig
might be better as it is not OpenPGP implementation specific and indicates that it is a signature and not possibly a certificate or a keyring, etc.), but I guess that is currently somewhat fixed due to how sysupdate.d expects it. 🥲Used mkosi config
mkosi output
The text was updated successfully, but these errors were encountered: