Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: verify kmod signatures for dual-sign #218

Merged
merged 10 commits into from
Jul 20, 2024
Merged

feat: verify kmod signatures for dual-sign #218

merged 10 commits into from
Jul 20, 2024

Conversation

m2Giles
Copy link
Member

@m2Giles m2Giles commented Jul 20, 2024

Thank you for contributing to the Universal Blue project!

Please read the Contributor's Guide before submitting a pull request.

@m2Giles
Copy link
Member Author

m2Giles commented Jul 20, 2024
edited
Loading

This checks during build stage and not in the final rpms. This doesn't ensure that the final copied rpms have the signatures. We could do that with another container much like getting the ostree.linux parameter but probably would need a Containerfile to build it.

@m2Giles m2Giles marked this pull request as ready for review July 20, 2024 04:45
@m2Giles m2Giles requested a review from castrojo as a code owner July 20, 2024 04:45
@m2Giles
Copy link
Member Author

m2Giles commented Jul 20, 2024

To build another container to test the rpms would likely have a longer build time than the actual akmods build.

So not sure what the best method for ensuring the RPMs that are copied into the scratch container are indeed dual signed.

@m2Giles
Copy link
Member Author

m2Giles commented Jul 20, 2024

Went and made a test container that is built after the akmods is built. It installs the kernel and the signed rpms, and then checks the signatures. It can handle both dual signed and single signed. It will stop a push if the the akmods are not signed correctly.

bsherman
bsherman approved these changes Jul 20, 2024
View reviewed changes
Copy link
Contributor

@bsherman bsherman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Beautiful

@bsherman bsherman added this pull request to the merge queue Jul 20, 2024
Merged via the queue into main with commit 7c3a5d8 Jul 20, 2024
33 checks passed
@bsherman bsherman deleted the verify-signatures branch July 20, 2024 17:17
@github-actions github-actions bot mentioned this pull request Jul 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KyleGospo KyleGospo KyleGospo approved these changes

@bsherman bsherman bsherman approved these changes

@castrojo castrojo Awaiting requested review from castrojo castrojo is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@m2Giles @bsherman @KyleGospo