-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
conf: keys: add the composefs keys #432
Conversation
# Link Composefs fs-verity keys | ||
if [ ! -d "conf/keys/cfs" ]; then | ||
ln -sf "${MANIFESTS}"/conf/keys/cfs conf/keys/cfs | ||
fi | ||
fi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A snip like this one is also required bellow in the next if block for the # Factory specific keys (unique per factory)
Is this key for fs-verity only? What about the ostree signature? |
this key signs the ostree commit and the composefs image I'll prepare the meta PR next but this is what this key does: |
# ComposeFS signatures | ||
# | ||
CFS_SIGN_KEYDIR ??= "${TOPDIR}/conf/keys/cfs" | ||
CFS_SIGN_KEYDIR[vardepsexclude] += "TOPDIR" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
after looking on the meta PR I see the CFS_SIGN_KEYNAME so it will be good to also add a default value
CFS_SIGN_KEYNAME ?= "cfs-dev"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
with that we can drop the ones one the meta PR and make it generic and not machine specific
ldts/meta-lmp@14ef7ef#diff-444ca8738c9172ef4f06ce2d79dac863177b904d7f673d4bf8e292560a397c6fR132-R133
# Link Composefs keys | ||
if [ ! -d "conf/keys/cfs" ]; then | ||
ln -sf "${MANIFESTS}"/conf/keys/cfs conf/keys/cfs | ||
fi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this snip need to be a bit different from the other
# Link Composefs keys if not set by the user
if [ -d "${MANIFESTS}"/factory-keys/cfs ] && [ ! -d "conf/factory-keys/cfs" ]; then
ln -sf "${MANIFESTS}"/factory-keys/cfs conf/factory-keys/cfs
fi
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, link is incorrect.
@@ -0,0 +1,2 @@ | |||
Ga5I1u55+hH9kNKLFzztqBpKL0uI/IoAOg0jhwAwAWIpDCXmriFCPBDG74Fh+bgakWR2B0/aobX0 | |||
o6a6/rvGMw== |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know if this will cause problems but this line looks truncated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
um, works just fine for me
Verification of the composefs image. To generate the keys: openssl genpkey -algorithm ed25519 -outform PEM -out ed25519.pem PEMFILE=ed25519.pem PUBLIC="$(openssl pkey -outform DER -pubout -in ${PEMFILE} | tail -c 32 | base64)" SEED="$(openssl pkey -outform DER -in ${PEMFILE} | tail -c 32 | base64)" SECRET="$(echo ${SEED}${PUBLIC} | base64 -d | base64 -w 0)" echo "${SECRET}" > secret echo "${PUBLIC}" > public Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Once approved/merged, please follow up a proposal to make sure these keys are automatically created on new factories as well. |
In preparation of the subsequent composefs PRs