Re: [atomic-devel] [CentOS-devel] CentOS Atomic Host SIG Proposal

[Colin Walters <walters verbum org>]

On Mon, Jul 28, 2014, at 12:33 AM, Karanbir Singh wrote:
> 
> if you look at the script, it sets up a signing key that the ostree code
> will use,

Note you can also sign asynchronously from a tree compose.  For example,
your "integration" repository may be unsigned, and then later you
promote the tree after testing, and adding say a "gold" GPG signature.

The technology is mostly there for this, but the scripts are not.

> worth noting that the upstream ostree repo target is embedded into the
> image that gets shipped from the build process, including the key used
> to sign the content.

This doesn't *have* to be done, but it means users have to manually
configure the mirror location when they start.  (This is the current
case with Fedora as we don't have mirroring sorted out).
 
> if the question is just to shasum the iso/qcow2 and sign that shasum
> file, we can certainly do that now ( but it will still contain whatever
> key was used at buildtime for the ostree content under the hood - and at
> this point it wont be a centos.org key )

Right.  Might as well ensure that the centos.org key is in
/usr/share/ostree/trusted.gpg.d so that when later the switch is made,
it's transparent to clients.