From e1d2d8fcc97e48e95b88bdc1faa1b234940b53b3 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Tue, 7 May 2019 00:02:22 -0700 Subject: [PATCH] Update Matchbox release signing process * Matchbox releases will be signed by my GPG key, like other projects in the poseidon org --- CHANGES.md | 2 ++ Documentation/deployment.md | 19 +++---------------- Documentation/dev/release.md | 10 +++++----- 3 files changed, 10 insertions(+), 21 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index f96e5a8c..6d0fe846 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -12,6 +12,8 @@ Notable changes between releases. * Validate raw Ignition configs with the v2.2 spec (warn-only) * Fix warnings that v2.2 configs are too new +Note: Release signing key [has changed](https://github.com/poseidon/matchbox/blob/v0.8.0/Documentation/deployment.md) with the project move. + ### Examples * Update Kubernetes example clusters to v1.14.1 (Terraform-based) diff --git a/Documentation/deployment.md b/Documentation/deployment.md index 64ebaf22..acb136a7 100644 --- a/Documentation/deployment.md +++ b/Documentation/deployment.md @@ -24,12 +24,12 @@ $ wget https://github.com/poseidon/matchbox/releases/download/v0.7.1/matchbox-v0 $ wget https://github.com/poseidon/matchbox/releases/download/v0.7.1/matchbox-v0.7.1-linux-amd64.tar.gz.asc ``` -Verify the release has been signed by the [CoreOS App Signing Key](https://coreos.com/security/app-signing-key/). +Verify the release has been signed by Dalton Hubble's [GPG Key 8F515AD1602065C8](https://keyserver.ubuntu.com/pks/lookup?search=0x8F515AD1602065C8&op=vindex). ```sh -$ gpg --keyserver pgp.mit.edu --recv-key 18AD5014C99EF7E3BA5F6CE950BDD3E0FC8A365E +$ gpg --keyserver keyserver.ubuntu.com --recv-key 8F515AD1602065C8 $ gpg --verify matchbox-v0.7.1-linux-amd64.tar.gz.asc matchbox-v0.7.1-linux-amd64.tar.gz -# gpg: Good signature from "CoreOS Application Signing Key " +gpg: Good signature from "Dalton Hubble " ``` Untar the release. @@ -260,19 +260,6 @@ Review [network setup](https://github.com/poseidon/matchbox/blob/master/Document CoreOS provides [dnsmasq](https://github.com/poseidon/matchbox/tree/master/contrib/dnsmasq) as `quay.io/coreos/dnsmasq`, if you wish to use rkt or Docker. -## rkt - -Run the container image with rkt. - -latest or most recent tagged `matchbox` [release](https://github.com/poseidon/matchbox/releases) ACI. Trust the [CoreOS App Signing Key](https://coreos.com/security/app-signing-key/) for image signature verification. - -```sh -$ mkdir -p /var/lib/matchbox/assets -$ sudo rkt run --net=host --mount volume=data,target=/var/lib/matchbox --volume data,kind=host,source=/var/lib/matchbox quay.io/poseidon/matchbox:latest --mount volume=config,target=/etc/matchbox --volume config,kind=host,source=/etc/matchbox,readOnly=true -- -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug -``` - -Create machine profiles, groups, or Ignition configs by adding files to `/var/lib/matchbox`. - ## Docker Run the container image with docker. diff --git a/Documentation/dev/release.md b/Documentation/dev/release.md index 8c2b5c7b..7fffb57e 100644 --- a/Documentation/dev/release.md +++ b/Documentation/dev/release.md @@ -50,14 +50,14 @@ Verify the reported version. ## Signing -Sign the release tarballs with a [CoreOS App Signing Key](https://coreos.com/security/app-signing-key/) subkey. +Release tarballs are signed by Dalton Hubble's [GPG Key 8F515AD1602065C8](https://keyserver.ubuntu.com/pks/lookup?search=0x8F515AD1602065C8&op=vindex) ```sh cd _output -gpg2 --armor --local-user A6F71EE5BEDDBA18! --detach-sign matchbox-$VERSION-linux-amd64.tar.gz -gpg2 --armor --local-user A6F71EE5BEDDBA18! --detach-sign matchbox-$VERSION-darwin-amd64.tar.gz -gpg2 --armor --local-user A6F71EE5BEDDBA18! --detach-sign matchbox-$VERSION-linux-arm.tar.gz -gpg2 --armor --local-user A6F71EE5BEDDBA18! --detach-sign matchbox-$VERSION-linux-arm64.tar.gz +gpg2 --armor --detach-sign matchbox-$VERSION-linux-amd64.tar.gz +gpg2 --armor --detach-sign matchbox-$VERSION-darwin-amd64.tar.gz +gpg2 --armor --detach-sign matchbox-$VERSION-linux-arm.tar.gz +gpg2 --armor --detach-sign matchbox-$VERSION-linux-arm64.tar.gz ``` Verify the signatures.