Goal

We need to have a documented process on how will the signing of the conversions script work - who, when and how.

The conversion script needs to be signed to ascertain integrity of the content, that is that it hasn't been tampered with by an unauthorized actor.

The process will likely follow the signing process used for the Remediations:
https://source.redhat.com/groups/public/insights_rule_and_framework_engineering_team/team_blog/workflow_for_insights_playbook_signing_requests

The conversion script signature will be verified by the rhc-worker-bash on the CentOS Linux host (HMS-1994).

Open questions

Chris Hambridge:
do we need any ok to use the same signing key? I know Ansible Automation Hub had to get their own key to sign certified collections.
Toshio Kuratomi:
That's a good question. Since this is piggybacking on tasks we might not need one but since tasks is becoming a container for unrelated functionality, maybe we do (or will in the future)