Skip to content

Contains the keys that verify the contents of an OpenShift update

License

Notifications You must be signed in to change notification settings

DavidHurta/cluster-update-keys

 
 

Repository files navigation

Cluster Update Keys

The image generated by this repository contributes a ConfigMap to an OpenShift release image that instructs the cluster version operator to verify updates using the provided keys and stores before performing updates.

The config map must have the annotation release.openshift.io/verification-config-map which instructs the cluster version operator to verify payloads against OpenPGP signatures in the atomic container signature format.

The keys within the config map define how verification is performed:

verifier-public-key-*: One or more GPG public keys in ASCII form that must have signed the
                       release image by digest.

store-*: A URL (scheme file://, http://, or https://) location that contains signatures. These
         signatures are in the atomic container signature format. The URL will have the digest
         of the image appended to it as "<STORE>/<ALGO>=<DIGEST>/signature-<NUMBER>" as described
         in the container image signing format. The docker-image-manifest section of the
         signature must match the release image digest. Signatures are searched starting at
         NUMBER 1 and incrementing if the signature exists but is not valid. The signature is a
         GPG signed and encrypted JSON message. The file store is provided for testing only at
         the current time, although future versions of the CVO might allow host mounting of
         signatures.

See https://github.com/containers/image/blob/ab49b0a48428c623a8f03b41b9083d48966b34a9/docs/signature-protocols.md for a description of the signature store.

The OpenShift CI system uses the public key described here and signs releases at https://amd64.ocp.releases.ci.openshift.org/ once they are created. Nightly and OKD builds are signed with CI release key and signatures updated to openshift-ci-release GCS bucket/. Official OCP builds are signed with Red Hat release key, signatures uploaded to openshift-release GCS bucket and mirrored to https://mirror.openshift.com/pub/openshift-v4/signatures/openshift/release

About

Contains the keys that verify the contents of an OpenShift update

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Makefile 94.4%
  • Dockerfile 5.6%