Skip to content

jobs/release: sign OCI images #1211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 9, 2025
Merged

jobs/release: sign OCI images #1211

merged 1 commit into from
Sep 9, 2025

Conversation

jlebon
Copy link
Member

@jlebon jlebon commented Sep 8, 2025
edited
Loading

This uses the new cosa sign --oci switch to sign our OCI images using the official Fedora GPG keys.

Part of coreos/fedora-coreos-tracker#1969.

I opted for not gating this behind a knob. It's safe to do this even on streams that still use encapsulated commits (it's just files in S3). But the earlier we do it, the more overlap we have in which both signature types (OCI and OSTree) co-exist and that makes migration planning easier.

Requires: coreos/coreos-assembler#4301

@dustymabe dustymabe mentioned this pull request Sep 8, 2025
Merged
dustymabe
dustymabe reviewed Sep 8, 2025
View reviewed changes
@jlebon jlebon marked this pull request as ready for review September 9, 2025 15:38
@jlebon
Copy link
Member Author

jlebon commented Sep 9, 2025

OK, this is ready for review now! (Obviously needs newer cosa to be rebuilt).

dustymabe
dustymabe approved these changes Sep 9, 2025
View reviewed changes
@jlebon
jobs/release: sign OCI images
8acce9e 
This uses the new `cosa sign --oci` switch to sign our OCI images using
the official Fedora GPG keys.

Part of coreos/fedora-coreos-tracker#1969.

I opted for not gating this behind a knob. It's safe to do this even on
streams that still use encapsulated commits (it's just files in S3). But
the earlier we do it, the more overlap we have in which both signature
types (OCI and OSTree) co-exist and that makes migration planning
easier.
@jlebon jlebon merged commit b4df2de into coreos:main Sep 9, 2025
2 checks passed
@jlebon jlebon deleted the pr/sign-oci branch September 9, 2025 16:59
@dustymabe dustymabe mentioned this pull request Sep 11, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dustymabe dustymabe dustymabe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jlebon @dustymabe