monitor: verify pgp2 and apk2 signatures - Githubissues

mozilla-services / autograph

Mozilla's digital signature service

https://hub.docker.com/r/mozilla/autograph/

Mozilla Public License 2.0

151 stars 35 forks source link

monitor: verify pgp2 and apk2 signatures #622

Open g-k opened 3 years ago

g-k commented 3 years ago

Currently, the monitor skips verifying signatures from signers with type pgp, gpg2, and apk2, because it probably requires shelling out to gpg or apksigner.

https://github.com/mozilla-services/autograph/blob/master/tools/autograph-monitor/monitor.go#L180 https://github.com/mozilla-services/autograph/blob/master/tools/autograph-monitor/monitor.go#L180

After containerizing the monitor lambda we could:

[x] package the monitor with the relevant CLI tools
[x] update the existing deploy pipelines
[ ] enable verification using those tools

g-k commented 3 years ago

See also https://github.com/mozilla-services/cloudops-deployment/pull/4236#issuecomment-846014573 (private link)