chore: create backup container signing keys #232
Conversation
These keys will be unused until a time when we need to rotate. We need to be certain this change doesn't break anything, since it could cause failed updates.
private key is in shared vault and accessible for actions to sign via org-wide secret: `SIGNING_SECRET_BACKUP`
|
Some testing from me indicates that this seems to be working in the sense that it does not break the ability to do upgrades. My testing steps: $ curl -L https://raw.githubusercontent.com/ublue-os/packages/3987d25ef80816a114027e00ca0d36053ff0e714/packages/ublue-os-signing/src/etc/pki/containers/ublue-os-backup.pub \
| sudo tee /etc/pki/containers/ublue-os-backup.pub
$ curl -L https://raw.githubusercontent.com/ublue-os/packages/3987d25ef80816a114027e00ca0d36053ff0e714/packages/ublue-os-signing/src/usr/etc/containers/policy.json \
| sudo tee /etc/containers/policy.json
$ sudo rpm-ostree upgrade
note: automatic updates (stage) are enabled
Pulling manifest: ostree-image-signed:docker://ghcr.io/ublue-os/aurora-dx:stable-daily
[ ... snip ... ]There wasn't a new update for me but it did not complain about signing. Will check again later to confirm that it was able to successfully update. |
|
Calling all @ublue-os/approver (s) Please can we get some testing on this PR. The main thing is ensuring the changes to the policy.json doesn't harm existing installations, and that the updates still occur. The idea is not to sign with a new key. The idea is to trust a new key that we can switch to in a disaster recovery scenario (i.e. the existing signing keys are lost or leaked). When we do need to rotate, the certificates will be already trusted by the entire userbase, and therefore users will switch over to images signed with the backup key seamlessly. Bsherman and Kyle have access to the backup private key. They are not and will not be put in GitHub until we are required to sign images with it. Please comment on or approve the PR if you were successfully able to run an update after the policy.json changes. |
There was a problem hiding this comment.
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
|
Can also confirm that this works. |
Closes ublue-os/main#703
These keys will be unused until a time when we need to rotate. When we do need to rotate, we can change the priv key in GitHub Actions, and these will be accepted by the signing policy.