From Fedora Project Wiki

Objective

Securely sign automatically, all of the different release artifacts that need to be signed.

Use Cases

In addition to rpms that we sign today we need to be able to sign the following

CHECKSUM Files

The checksum files are created by pungi. Whenever a compose is finished, a fedmsg pungi.compose.status.change is sent. The checksum files are only created for Rawhide and Branched images.

We use a command like:

 # /mnt/fedora_koji is a NFS mount of ntap-phx2-c01-fedora01-nfs.storage.phx2.redhat.com:/fedora_koji
 BASE=/mnt/fedora_koji/compose
 # RELEASEVER is rawhide or branched
 # COMPOSSEID is a string like Fedora-23-20150607.n.9
 for checksum in $(find $BASE/$RELEASEVER/$COMPOSEID/compose/ -name  *CHECKSUM);
 do
   cat $checksum >/tmp/sum && NSS_HASH_ALG_SUPPORT=+MD5 sigul --batch sign-text -o /tmp/signed $KEY /tmp/sum $pass && chmod 644 /tmp/signed && sudo mv /tmp/signed $checksum
 done

Ideally I think we pass in a compose, the signing box then finds and signs all CHECKSUMS.

OStree repo commits

This needs further investigation, however it does need detached signatures. we need to evaluate how to add the commits to the ostree repo

The commits might be signed with this script: https://pagure.io/releng/blob/master/f/scripts/push-two-week-atomic.py

Taiga ticket: http://taiga.fedorainfracloud.org/project/acarter-fedora-docker-atomic-tooling/us/193?no-milestone=1

repodata

To provide an extra layer of protection for users, and verification for the openh264 repo we need to make detached signatures of repomd.xml

 for file in $(find ~/24-openh264-20160422 -name repomd.xml); do  NSS_HASH_ALG_SUPPORT=+MD5 sigul sign-data  fedora-24 $file -o $file.asc; chmod 644 $file.asc; done

Open questions: Where is the repo stored? Which script creates the repo? Is there a Fedmsg event sent when the repo is done?

Signing interface

We need to have a way to request that something gets signed and determine how the signed things get written to disk

hardware

We have a physical box. The thinking is that the passwords for a sigul user will be stored on the box, that will only be accessible by serial console and only to a limited set of users. The service will proxy signing requests, possibly authenticating via ssl cert or fedmsg or some other method.