From Fedora Project Wiki

< User:Puiterwijk

Revision as of 20:29, 24 August 2016 by Puiterwijk (talk | contribs) (updates pushes)

This is a proposal for how to implement automatic signing of deliverables.

It all works around an autosign box, that has a configured sigul two-way secure passphrase, with a bit of code running inside the fedmsg-hub.

For the various deliverables, the ways of implementing follow:

RPM-OStree/Atomic

For RPM-OSTree, we would be adding a fedmsg after compose of atomic is done, together with the new checksum. We would also change the tag that atomic-composer attaches stuff to: in the treefile, we would change ref from fedora-atomic/24/x86_64/docker-host to fedora-atomic-candidate/24/x86_64/docker-host.

At that moment, the autosigner retrieves the commit object, puts that through sigul to get signed, and then updates the final tag to point to the new commit. This would mean that the current "fedora-atomic/24/x86_64/docker-host" tag is always signed.


Bodhi pushes

Currently, bodhi-push sends a masher.start fedmsg message, which gets it to push everything out. Instead, we could send an autosign.request message, which triggers the autosigning box to sign everything in the updates= field, after which it fires off the masher.start message.