Re: [atomic] Signing Trees

[Colin Walters <walters verbum org>]

> How does one go about signing trees? I'd like to have some confidence
> that a tree my client boots into is in fact a tree I served out from
> my build server.

See the "rpm-ostree compose sign" command, which integrates with a Red
Hat tool called "rpm-sign" (that actually signs anything).

I've been meaning to have the sign command allow calling out to an
arbitrarily named command, but if one looks at the code one will see
it's just a wrapper around the libostree C API.  The real intent is that
mature build systems call into the C APIs (possibly via an introspected
language binding).

> Do they have to be signed at the time they are created, or can it be
> done after-the-fact, such as after some testing? Do the client tools
> support this at all?

It can be done after, and in addition, ostree supports multiple
signatures.

The client will check each time an upgrade is requested whether a
particular commit is signed by a valid signature.