Closed Bug 1518912 Opened 6 years ago Closed 6 years ago

docker-worker: add ed25519 cot signature support; deprecate gpg

Categories

(Taskcluster :: Workers, enhancement)

Product:
Taskcluster
Component:
Workers
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mozilla, Assigned: mozilla)

References

Details

Attachments

(1 file)

docker-worker PR
53 bytes, text/x-github-pull-request
Details | Review

GPG 2.0.x is past its EOL; our current cot-gpg-keys solution is high maintenance and can only be properly tested on puppetized scriptworkers. Moving to a more modern signature algorithm and a set of known public keys, without a web of trust, will improve both of these situations.

We should:

  • add ed25519 cot signature support to docker-worker.
  • deprecate gpg support; once all 3 worker implementations are uploading signed ed25519 cot artifacts, we'll drop gpg support across the board.
  • leave chainOfTrust.json.asc alone, until we drop gpg support
  • create and upload two new artifacts: an unsigned chain-of-trust.json, and an ed25519 signature chain-of-trust.json.sig.

Ideally, I'd like to get the solutions in all 3 worker implementations working before we roll out, to avoid churn. I'm signing up to write this patch, though I may need a hand with both docker-worker and node questions.

See also: mozilla-releng/scriptworker#294, the discussion in mozilla-releng/scriptworker#293 (comment), and taskcluster/generic-worker#136 .

Pete, I'll do this one last, but we may want to roll out ed25519 support before we converge on generic-worker.

Component: Docker-Worker → Workers
Attached file docker-worker PR

This is done :) Thanks Wander!

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: