Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

monitor: verify pgp2 and apk2 signatures #622

Open
2 of 3 tasks
g-k opened this issue Mar 4, 2021 · 1 comment
Open
2 of 3 tasks

monitor: verify pgp2 and apk2 signatures #622

g-k opened this issue Mar 4, 2021 · 1 comment
Labels
enhancement monitor related to tools/autograph-monitor

Comments

@g-k
Copy link
Contributor

g-k commented Mar 4, 2021
edited

Currently, the monitor skips verifying signatures from signers with type pgp, gpg2, and apk2, because it probably requires shelling out to gpg or apksigner.

https://github.com/mozilla-services/autograph/blob/master/tools/autograph-monitor/monitor.go#L180
https://github.com/mozilla-services/autograph/blob/master/tools/autograph-monitor/monitor.go#L180

After containerizing the monitor lambda we could:

  • package the monitor with the relevant CLI tools
  • update the existing deploy pipelines
  • enable verification using those tools
@g-k g-k added enhancement monitor related to tools/autograph-monitor labels Mar 4, 2021
@g-k
Copy link
Contributor Author

g-k commented May 26, 2021

See also https://github.com/mozilla-services/cloudops-deployment/pull/4236#issuecomment-846014573 (private link)

@g-k g-k mentioned this issue Aug 30, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement monitor related to tools/autograph-monitor
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@g-k