From Fedora Project Wiki
(rawhide)
(two-way secure passphrase)
Line 2: Line 2:


It all works around an autosign box, that has a configured sigul two-way secure passphrase, with a bit of code running inside the fedmsg-hub.
It all works around an autosign box, that has a configured sigul two-way secure passphrase, with a bit of code running inside the fedmsg-hub.
two-way secure passphrase means that the passphrase that is used for automatic signing is tied to the hardware of both the sigul vault and the autosigning box.
For this, a local TPM and/or a local yubikey are used to encrypt the passphrase, so that if the hardware it's tied to is removed or not available, the passphrase becomes unusable.
This protects the passphrases from being used anywhere else than on the dedicates machines.


For the various deliverables, the ways of implementing follow:
For the various deliverables, the ways of implementing follow:

Revision as of 20:34, 24 August 2016

This is a proposal for how to implement automatic signing of deliverables.

It all works around an autosign box, that has a configured sigul two-way secure passphrase, with a bit of code running inside the fedmsg-hub.

two-way secure passphrase means that the passphrase that is used for automatic signing is tied to the hardware of both the sigul vault and the autosigning box. For this, a local TPM and/or a local yubikey are used to encrypt the passphrase, so that if the hardware it's tied to is removed or not available, the passphrase becomes unusable. This protects the passphrases from being used anywhere else than on the dedicates machines.

For the various deliverables, the ways of implementing follow:

RPM-OStree/Atomic

For RPM-OSTree, we would be adding a fedmsg after compose of atomic is done, together with the new checksum. We would also change the tag that atomic-composer attaches stuff to: in the treefile, we would change ref from fedora-atomic/24/x86_64/docker-host to fedora-atomic-candidate/24/x86_64/docker-host.

At that moment, the autosigner retrieves the commit object, puts that through sigul to get signed, and then updates the final tag to point to the new commit. This would mean that the current "fedora-atomic/24/x86_64/docker-host" tag is always signed.


Bodhi pushes

Currently, bodhi-push sends a masher.start fedmsg message, which gets it to push everything out. Instead, we could send an autosign.request message, which triggers the autosigning box to sign everything in the updates= field, after which it fires off the masher.start message.


Rawhide

Rawhide doesn't go through bodhi. What we could instead do is make a separate rawhide-candidate tag, and have the autosigner listen for build.tag messages for rawhide. As soon as a build gets tagged into rawhide-candidate, it could sign it and then move it to the rawhide tag.