Re: ostree signing issue
- From: "Colin Walters" <walters verbum org>
- To: ostree-list <ostree-list gnome org>
- Subject: Re: ostree signing issue
- Date: Tue, 27 Jul 2021 14:25:59 -0400
On Thu, Jul 22, 2021, at 2:36 PM, MR ZenWiz via ostree-list wrote:
Greetings, all,
I'm on contract to a company that uses ostree to deploy os updates, as
you might expect.
Great!
They want to add signing to the updates, using a private key server to
do the signing, but the private key server is not using ostree, it
just signs and provides signature output files and certificates to use
with the ostree signing.
This makes total sense.
Is there a way to tell ostree to sign a commit using something other
than a raw signature - say by reference to a signature file or an SSL
certificate?
Ultimately, you can generate a signature in a compatible format however you like. For example, Red Hat
internally uses a HSM and there's a wrapper tool confusingly called `rpm-sign` because at one time the only
thing we signed was RPMs. A time that has thankfully passed ;)
Here's a wrapper script I wrote:
https://github.com/ostreedev/ostree-releng-scripts/blob/master/redhat-rpm-sign-ostree
The `rpm-sign` script here is ultimately making an authenticated RPC (auth via Kerberos) to a service
fronting the HSM.
I hope this helps!
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]