-
Task
-
Resolution: Done
-
Normal
-
None
-
None
-
False
-
False
-
-
ANSTRAT-411 - Content Signing
-
- Partner publishes a collection version to c.r.c and the artifact goes to /staging/ repository and keeps waiting for approval/certification
(at that point content is unpublished and not consumable) - Partner Engineer goes to c.r.c /approval-dashboard/ and for each item in the approval queue will:
- Download the .tar.gz artifact, unpack it locally, run tests and verifications in order to ensure the quality of its contents.
- Once artifact is verified, Partner Engineer will run `rpm-sign` command to create a signature based on the `MANIFEST.json` file
(to be confirmed the exact syntax but something like:
`rpm-sign collection/path/MANIFEST.json`)
and this command will generate a signature file named e.g: `namespace.collection.x-y-z.asc` - The Partner Engineer will go back to `/approval-dashboard/` and click “upload signature” on that collection and a signature file will be added to the collection repository. Only the signature is uploaded in this step.
- During the upload, the backend will perform the verification of the signature against the official public_key to ensure only valid signatures are uploaded.
- Partner Engineer now is able to click the `approve` button on the collections where the signature is added and verified.
- Collection + Signature are moved to `/published` repository and show a “Certified/Signed” badge and are now ready to be consumed by end-users.
- When installing the collection, the end-user will call the `--verify` command on the `ansible-galaxy` CLI to perform a verification before installation.
- When another server (private/on-prem HUB, satellite) syncs content from c.r.c the signatures will also be synchronized allowing later verification.
- is blocked by
-
-
- Closed
-