generic-worker: add ed25519 cot signature support; deprecate gpg
Categories
(Taskcluster :: Workers, enhancement)
Tracking
(Not tracked)
People
(Reporter: mozilla, Assigned: mozilla)
References
Details
GPG 2.0.x is past its EOL; our current cot-gpg-keys solution is high maintenance and can only be properly tested on puppetized scriptworkers. Moving to a more modern signature algorithm and a set of known public keys, without a web of trust, will improve both of these situations.
We should:
- add ed25519 cot signature support to generic-worker.
- deprecate gpg support; once all 3 worker implementations are uploading signed ed25519 cot artifacts, we'll drop gpg support across the board.
- leave
chainOfTrust.json.ascalone, until we drop gpg support - create and upload two new artifacts: an unsigned
chain-of-trust.json, and an ed25519 signaturechain-of-trust.json.sig.
Ideally, I'd like to get the solutions in all 3 worker implementations working before we roll out, to avoid churn. I'm signing up to write this patch, though I may need a hand with both generic-worker and golang questions.
See also: mozilla-releng/scriptworker#294, the discussion in mozilla-releng/scriptworker#293 (comment), and taskcluster/generic-worker#136 .
|
||
Comment 1•5 years ago
|
||
Commit pushed to master at https://github.com/taskcluster/generic-worker https://github.com/taskcluster/generic-worker/commit/eb88e7897774bd04de46f5412062760fb9a9912b Merge pull request #137 from escapewindow/ed25519 bug 1518913 - add ed25519 support
|
Assignee | |
Comment 2•5 years ago
|
||
This was released! We'll need OCC configs + a new valid ed25519 key for level 3 workerTypes to fully resolve.
|
||
Comment 3•5 years ago
|
||
Released in generic-worker 12.0.0.
Aki, I've created bug 1524592 for the OCC rollout, so I'll close this bug, as I think the generic-worker part is done.
Awesome work! :-)
|
||
Updated•5 years ago
|
Description
•