GPG 2.0.x is past its EOL; our current cot-gpg-keys solution is high maintenance and can only be properly tested on puppetized scriptworkers. Moving to a more modern signature algorithm and a set of known public keys, without a web of trust, will improve both of these situations. We should: - add ed25519 cot signature support to generic-worker. - deprecate gpg support; once all 3 worker implementations are uploading signed ed25519 cot artifacts, we'll drop gpg support across the board. - leave `chainOfTrust.json.asc` alone, until we drop gpg support - create and upload two new artifacts: an unsigned `chain-of-trust.json`, and an ed25519 signature `chain-of-trust.json.sig`. Ideally, I'd like to get the solutions in all 3 worker implementations working before we roll out, to avoid churn. I'm signing up to write this patch, though I may need a hand with both docker-worker and node questions. See also: [mozilla-releng/scriptworker#294](https://github.com/mozilla-releng/scriptworker/pull/294), the discussion in [mozilla-releng/scriptworker#293 (comment)](https://github.com/mozilla-releng/scriptworker/pull/293#issuecomment-451339959), and [taskcluster/generic-worker#136](https://github.com/taskcluster/generic-worker/issues/136) .
Bug 1518912 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
GPG 2.0.x is past its EOL; our current cot-gpg-keys solution is high maintenance and can only be properly tested on puppetized scriptworkers. Moving to a more modern signature algorithm and a set of known public keys, without a web of trust, will improve both of these situations. We should: - add ed25519 cot signature support to docker-worker. - deprecate gpg support; once all 3 worker implementations are uploading signed ed25519 cot artifacts, we'll drop gpg support across the board. - leave `chainOfTrust.json.asc` alone, until we drop gpg support - create and upload two new artifacts: an unsigned `chain-of-trust.json`, and an ed25519 signature `chain-of-trust.json.sig`. Ideally, I'd like to get the solutions in all 3 worker implementations working before we roll out, to avoid churn. I'm signing up to write this patch, though I may need a hand with both docker-worker and node questions. See also: [mozilla-releng/scriptworker#294](https://github.com/mozilla-releng/scriptworker/pull/294), the discussion in [mozilla-releng/scriptworker#293 (comment)](https://github.com/mozilla-releng/scriptworker/pull/293#issuecomment-451339959), and [taskcluster/generic-worker#136](https://github.com/taskcluster/generic-worker/issues/136) .