ostree signing issue

[MR ZenWiz <mrzenwiz gmail com>]

Greetings, all,

I'm on contract to a company that uses ostree to deploy os updates, as
you might expect.

They want to add signing to the updates, using a private key server to
do the signing, but the private key server is not using ostree, it
just signs and provides signature output files and certificates to use
with the ostree signing.

AFAICT, this is not possible with ostree.  If I overwrite the
commitmeta file for the signed entry, signed with fake key, using the
key from the official signing server, ostree refuses to verify it -
says "error: No valid signatures found."

Is there a way to tell ostree to sign a commit using something other
than a raw signature - say by reference to a signature file or an SSL
certificate?

I haven't seen anything like this.  The best suggestion I had so far
was to use these two methods:

https://ostreedev.github.io/ostree/reference/ostree-OstreeRepo.html#ostree-repo-read-commit-detached-metadata
https://ostreedev.github.io/ostree/reference/ostree-OstreeRepo.html#ostree-repo-write-commit-detached-metadata

in a separate executable.  I can do this if it will work, but it will
take some time as I'm not that familiar with the whole GI coding
exercise.

Is there some internal gotcha in ostree that specifically prevents this?

Your assistance on this is greatly appreciated.

Mark Richter, Senior Software Engineer
Xubuntu idedicated user/admin/fan
http://www.linkedin.com/in/markrichter1
Registered Linux User #472807 http://counter.li.org/
FSF Member #12694 http://www.fsf.org