[CentOS-devel] [DISCUSS] Atomic-specific key for signing

Fri Oct 3 10:03:19 UTC 2014
Karanbir Singh <mail-lists at karan.org>

On 09/30/2014 03:24 PM, Joe Brockmeier wrote:
> Hi all,
> 
> During last week's meeting I agreed to bring this up (sorry for the delay).
> 
> KB asked "do we care and how much, if at all, that the key used to sign
> the content is the real distro key?" (Because at the outset, it's going
> to be more difficult to use the distro key for Atomic host.)
> 
> IMO, we don't so long as we have a SIG key that is publicized. I don't
> see any reason it has to be the main CentOS / distro key.
> 
> Any objections/thoughts/comments?
> 

I've been working out the backend mechanisms and infra that might be
needed, this is also an open conversation / decision point with the board;

The safe assumption would be to assume a rpm-sign.sh proxy will come up,
whats on the other end of that is still up in the air. But the sign
process SHOULD block on that call; there might be some network request
involved, am trying really hard for there not to be, but I dont think
there is an easy way out, as yet.

I will have more details on the key itself in the next few days,

-- 
Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc