Proposal: Automating release artifacts signing and deployment
Hi all, nl6720 has proposed[1] that DevOps create a CA for signing the iPXE and initramfs release artifacts. The goal is to be less dependent on a single person's signing key. After dialogue on IRC, we came to the conclusion, that maybe automating signing of the release artifacts (ISO included) is feasible. So the plan we came up with: 1. DevOps creates a CA with a lifetime of 10 years and stores it in their vault 2. DevOps binds a private key to the TPM on secure-runner1.archlinux.org[2] and create a CSR 3. DevOps signs the CSR with the created CA 4. DevOps creates a dedicated GitLab runner, on the mentioned server, with direct access to the TPM and restricted to specific GitLab projects 5. DevOps assigns the runner to the releng project[3] 6. The releng team set up automation for signing the release artifacts with the TPM To keep the implementation simple, the plan is to sign the ISO with `openssl cms` instead of OpenPGP. With that done, the next step would be the automatic synchronization to the mirros and archweb integration. We would like some input on the approach mentioned. If no concerns are raised, we will start implementing it. [1] https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/548 [2] Server for running pipelines for trusted Arch Linux projects [3] https://gitlab.archlinux.org/archlinux/releng/ Cheers, Kristian Klausen
participants (1)
-
Kristian Klausen