Signed (OpenPGP) sha256 sums for released QCOW, etc. images

[wking]

Currently:

$ curl http://aos-ostree.rhev-ci-vms.eng.rdu2.redhat.com/rhcos/images/cloud/latest/rhcos-qemu.qcow2.gz.sha256sum
803485d5d9670f1b74108057616ad31d5bebd8b6f60fcbb9556eecc2f45d6535

but there are a lot of possibilities for mutation between the build box and my local system (we're not even transmitting that SHA over HTTPS!). It would be nice to have a file (or per-gzipped-blob files, it doesn't really matter) with the filenames and hashes, like:

803485d5d9670f1b74108057616ad31d5bebd8b6f60fcbb9556eecc2f45d6535 rhcos-qemu.qcow2.gz
670d585d53e6a175344de9f76b3d534a02b46828b4a892fa86a21652ad587adc rhcos-qemu.qcow2
803485d5d9670f1b74108057616ad31d5bebd8b6f60fcbb9556eecc2f45d6535 rhcos-4.0.6902-qemu.qcow2.gz
670d585d53e6a175344de9f76b3d534a02b46828b4a892fa86a21652ad587adc rhcos-4.0.6902-qemu.qcow2

that was signed by some release key. Then I could check that there had been no tampering between the signing bot (or wherever the release key was held) and my local download. One benefit would be catching accidental corruption (openshift/installer#475), but this would also give us protection from malicious folks on the VPN, etc., etc.

Hashing the gzipped blobs allows me to verify the payload before going through the trouble of unzipping (e.g. gzip-bomb protection). Hashing the unzipped blobs allows me to verify uncompressed images in my local cache (openshift/installer#395).

CC @ashcrow

[mykaul]

You are slowly re-implementing yum repository ;-)

• compression
• gpg checking
• delta builds (oh, you don't have it yet)
• multiple versions, channels

I assume there's a reason yum and reposync are not good candidates for this.

[cgwalters]

A lot of things have compression and signatures and channels; for example, OCI container images and OSTree does too.

I don't think it makes a whole lot of sense to wrap our disk images in RPMs (or containers or ostree refs) though.

(Random aside: ostree has deltas, and they are significantly better than deltarpm)

Well, it may make sense at some point to wrap our disk images "bootimages" in containers just for ease of mirroring.

[mykaul]

KubeVirt actually has this concept of shipping images via registery, btw (https://github.com/kubevirt/kubevirt/blob/master/docs/container-register-disks.md )

My point was indeed there are enough implementations, that's all.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

[openshift-bot]

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

[openshift-ci-robot]

@openshift-bot: Closing this issue.

In response to [this](https://github.com/openshift/os/issues/362#issuecomment-727822213): >Rotten issues close after 30d of inactivity. > >Reopen the issue by commenting `/reopen`. >Mark the issue as fresh by commenting `/remove-lifecycle rotten`. >Exclude this issue from closing again by commenting `/lifecycle frozen`. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.