Atomic: OSTree Signatures - cockpit-project/cockpit GitHub Wiki

##Scope

• Every new commit has a signature
• The system will only download a commit if the signature is trusted (or if signature checking is disabled)
• Display in the list of foward/rollback. Show signature info
• Attach a new, trusted, ssh-key
• It should be clear to the administrator why something is unsigned
• Good signature vs. Bad signature - Signed or Unsigned

Notes

• Trello page
• OSTree documentation
• HOWTO: GPG sign and verify RPM packages and yum repositories

Stories

Sarah Manning is a part-time sysadmin, part-time developer at a software shop. She's very concerned about security. They deploy their containers on Atomic hosts. When there are updates to the Atomic Host, she wants to be certain that the updates are coming from a trusted source.

Robert Paulson works at a company where they do their own atomic images. He wants to try one of their internal atomic builds. The updates are not signed correctly, but since the build is from an internal server, he trusts it enough that he wants to disable the GPG-check. After all, it's only in a local VM that he'll throw later anyway.

Workflows

Sarah logs in to the Atomic host using Cockpit. She goes to Software Updates and presses the Update button. The updates gets pulled down without any problems. She checks the signature, and it looks correct. She then deploys the update.

Robert logs in to the Atomic host using Cockpit. He goes to Software Updates via the version url on the server dashboard. He adds a new remote and set it to not check for a GPG-signature.

Prior art

• Yast
• Aptitude
• Firefox
• OSTree CLI tool
• GitHub GPG keys

Wireframes

Feedback