Document release artifact signing
Provide some explanatory prose about handling of OpenPGP signatures for Git tags and similar release artifacts. Also provide a copy of the corresponding public keys, for improved provenance. New keys should be added each cycle as they're rotated into use. Change-Id: I083bc8acf8d95e938afb5446d786eedf4fc43751
This commit is contained in:
Jeremy Stanley
@@ -131,6 +131,41 @@ Deliverables organized by the team that produces them.
|
||||
|
||||
teams/*
|
||||
|
||||
Cryptographic Signatures
|
||||
========================
|
||||
|
||||
Git tags created through our release automation are signed by
|
||||
`centrally-managed OpenPGP keys`_ maintained by the `OpenStack
|
||||
Infrastructure team`_. Detached signatures of many separate release
|
||||
artifacts are also provided using the same keys. A new key is
|
||||
created corresponding to each development cycle and rotated
|
||||
relatively early in the cycle. (Implementation completed late in the
|
||||
Newton cycle, so many early Newton artifacts have no corresponding
|
||||
signatures.)
|
||||
|
||||
OpenStack Infrastructure root sysadmins and Release Managers publish
|
||||
their own signatures of these keys into the global keyserver
|
||||
network. Copies of the public keys can be found below along with the
|
||||
date ranges during which each key was in general use.
|
||||
|
||||
* 2016-08-03..2016-11-22 (Newton Cycle key):
|
||||
`key 0x80fcce3dc49bd7836fc2464664dbb05acc5e7c28`_ (details__)
|
||||
* 2016-11-22..present (Ocata Cycle key):
|
||||
`key 0xd47bab1b7dc2e262a4f6171e8b1b03fd54e2ac07`_ (details__)
|
||||
|
||||
.. Static key files are generated with the following command:
|
||||
( gpg2 --fingerprint 0x80fcce3dc49bd7836fc2464664dbb05acc5e7c28
|
||||
gpg2 --armor --export-options export-clean,export-minimal \
|
||||
--export 0x80fcce3dc49bd7836fc2464664dbb05acc5e7c28 ) > \
|
||||
doc/source/static/0x80fcce3dc49bd7836fc2464664dbb05acc5e7c28.txt
|
||||
.. _`key 0x80fcce3dc49bd7836fc2464664dbb05acc5e7c28`: _static/0x80fcce3dc49bd7836fc2464664dbb05acc5e7c28.txt
|
||||
.. __: https://sks-keyservers.net/pks/lookup?op=vindex&search=0x80fcce3dc49bd7836fc2464664dbb05acc5e7c28&fingerprint=on
|
||||
.. _`key 0xd47bab1b7dc2e262a4f6171e8b1b03fd54e2ac07`: _static/0xd47bab1b7dc2e262a4f6171e8b1b03fd54e2ac07.txt
|
||||
.. __: https://sks-keyservers.net/pks/lookup?op=vindex&search=0xd47bab1b7dc2e262a4f6171e8b1b03fd54e2ac07&fingerprint=on
|
||||
|
||||
.. _`centrally-managed OpenPGP keys`: http://docs.openstack.org/infra/system-config/signing.html
|
||||
.. _`OpenStack Infrastructure team`: https://governance.openstack.org/tc/reference/projects/infrastructure.html
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
|
||||
@@ -0,0 +1,54 @@
|
||||
pub rsa2048/0x64DBB05ACC5E7C28 2016-06-03 [SC] [expires: 2016-11-30]
|
||||
Key fingerprint = 80FC CE3D C49B D783 6FC2 4646 64DB B05A CC5E 7C28
|
||||
uid [ full ] OpenStack Infra (Newton Cycle) <infra-root@openstack.org>
|
||||
sub rsa2048/0xC62E7F55E94A8805 2016-06-03 [E] [expires: 2016-11-30]
|
||||
sub rsa2048/0xD9631FEAF0CC6227 2016-06-22 [S]
|
||||
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQENBFdQ8DEBCAC0/jFThe7eJiiBL8Rb1c2mXLlSmBsv3/uzL3yV+0U1FShYZ0Ck
|
||||
s+x+KSGI5aerVXELw2QPCH9eZVknNd4anKzWKIaQ6KBUopIFgzlr5fr1+K5TE7ZH
|
||||
QISijgzSKMQaHKkELVlw9mOYme5UuzMehsLbOQ/aUDoK+4QHbN7eC5MXjYW+ybzK
|
||||
V7buapRGgjugEyYY9xDVXSSfgfULiba9nUudiyOwEXaM0JkGbWrD77w5CeC+GyoA
|
||||
IZYXg5Fqz79zPrPToWwO1bdw/mlq9iZjMXnD/eJc9v0Ll4mqbqWf8thMmFi6/Wxr
|
||||
omJ/eS7O1A7a10PgJGb7p4FxSj8PxbAEJ9zbABEBAAG0OU9wZW5TdGFjayBJbmZy
|
||||
YSAoTmV3dG9uIEN5Y2xlKSA8aW5mcmEtcm9vdEBvcGVuc3RhY2sub3JnPokBPQQT
|
||||
AQoAJwUCV1DwMQIbAwUJAO1OAAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBk
|
||||
27BazF58KB4eB/4kVB0b6Tm7HcPOnthx+0qE7MC25YMRTwz4pEUfnWSlGs1Rmjgl
|
||||
buDLw4UiHe8GSHlT8apoYJnN9O5DU7jL0dnG9Xp2JqFKlnDBJj0+f3E9kwfOYLk9
|
||||
fVCHC+KO5IXnrGSGFD6ybc+BE/rU6eMG1njWyV44JBa2Ge649OPQ5rqU1RoXfDNo
|
||||
Nlfl4zhAzqIvDdS3c5ED/jKjteueejCLA+GRwCJhF0sJSmuvzcHNhpNxwzdd4+MS
|
||||
492AYQ9G3Q/pm1HoR4vLgKUnnbJ2q+Aadr76iUbxUxuPZU67LbS6Gdanm7Lawd8g
|
||||
bzmOkOe2ZDtkVx15nz+UQao0Du/7ghy95MliuQENBFdQ8DEBCACih7ft7S04blXa
|
||||
lIFh6t+DgpbakdPGswkm8iAgp4GoiB/CqHF9DN7c/Ph3sS175Ecb+mbx7t3EK7Cn
|
||||
pyfiXkeVXJrALxu74jPYHMz9nzIarWE5cIGCCd+i6qlpL69I0dkoPpRLjKgx1M1C
|
||||
kEdkf4Kg8E39trW+7kK+wiTPRz86yn1lobBlRt5fPELouv1Cx1SLR+5EqiQ2987z
|
||||
p9n/1+oXlgavZLghzAhD3u41yH8pkkMry2xi3i4LI6nSkOjeyLfSjjuHwJEpfaht
|
||||
2tnJtKV6+DUxzU7xZksMHEZDNioqmbkXgRl1ycAfBAhq8LTwIpmv1+3v/PfjbcIx
|
||||
KCgi6d53ABEBAAGJASUEGAEKAA8FAldQ8DECGwwFCQDtTgAACgkQZNuwWsxefCjL
|
||||
wQf/YHh3Rke39ybZZSU/WMpgM+Uhb/mcQfSuukTNNiv0Gi7SM2Vo7N1micwIBsSk
|
||||
yazVO0DNRDyB0JxexCs+I+FSfJ+YV6IfA4EPNuhsByAyxRGLOrowXsPqB+CFEfyy
|
||||
j/XiWNc3JoHBdr1SjtLFCA9lNwuEJNvHGCJ25NDAJTyAiih3m5eh5IN8e/2tPst6
|
||||
9c4DBmc2jKsC7Embr9wnmyniJC8KgRny3+sEobUTwOodKyprIESFeOfcnbhSBvuB
|
||||
Z1bnDbJWFQksx8zxOWRLaw1NTPOCz1CaOxR2eTWkOPHxHPkGuNfOjWxTyKvnAEGJ
|
||||
JS1iUUTux8s30spnJRfIdypi/7kBDQRXawh/AQgAv1HuOzam//R7hyC6/eevMC9h
|
||||
OjNpR9IT3Fpcxj1bgerFHMPQAVe1uIfQAtNqzzHY+FIYuOaD9HKGnCIABcaf83+0
|
||||
jx0eiWuiNy89LSX2CMj4+B1upPkwwm0O2YuG7KHXGfYdXDAxOrC6+I4N0mJIBRux
|
||||
CE2rBfSC8naBGGoSJDsJzK75bshZQhuDFJ1H+/fCZbpOPNw0NopeCEhuBudrelh9
|
||||
wkGyJrPrYCWVC9E3JmVrVYka1iJkzkOF9TmWS3N7xZ1QKvYHqxRjk4ZEdhNK3u5n
|
||||
CP8Ac7hYi+710kF88cz8SbbJ6OKiO2XgSe72dk2xVPxayFUJSVz/QPon9QiWWwAR
|
||||
AQABiQI+BBgBCgAJBQJXawh/AhsCASkJEGTbsFrMXnwowF0gBBkBCgAGBQJXawh/
|
||||
AAoJENljH+rwzGIn0ecH/jNqH3mWopLm6YkdZWEAI7Kb6DG7BF8Y89MJIG9CrJQ4
|
||||
sFYG2GCweM0XGRuDD5xC0Y6fRKLrgFvVHx0JqMwIwh24Zi5Cf/Vb2/7eevKaNR8M
|
||||
aap19Ac+NCVqTiuyFqOQTSEf+9uU8rPQ75jxBoFExA5Le/w/VFVsXmGFQ1r9GJ8D
|
||||
yMIpozi3eS19WsHQYrnzj0154GLy6sQrV2u5Pob0ekc6Mo4nH6NmlOu1m5B0PNMj
|
||||
FZCWS8B5lCxHl8OHLQQrqoUe5Es/B7KWKsw0Ec20OScG5apzRqghMDHttHThTftd
|
||||
Ts1WXk71iMHYVhE/SjklWpg8s6UTW7H1zoao+KPXVhdmWAf/Sen+dWebdOcJP+YT
|
||||
3UmlBLPpcF3x5Cp6eo6wQeYZoJo8/bkfubyQusfkGAND5+JTVoNBFkYrYfYxlzF8
|
||||
0IDZpcoXt0wglDK1PFiyqmr3q3GPk5fsjZMWlX6EdPWG/L7VyFVVDOYS8Q22lxEh
|
||||
LvS/VzkmKRsMybP7QxoYsy2TXOR0JCo0t1hV9Jz7+NEw/9JDXoTbqHsOE4+Z7bwv
|
||||
2diwNqrk4dMdmJa44zYNoA6Iuh7R0cNVk6wAoi5DcOtCRVk/M0XmEtL9yubrUHO0
|
||||
OuMTJ/cacaYRrWXn2l8bStv0brqLFxWsvR5uDxm79Xn0nHZgFwhMBNCvBLh3DUbC
|
||||
hX8vpQ==
|
||||
=B+vq
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
@@ -0,0 +1,54 @@
|
||||
pub rsa2048/0x8B1B03FD54E2AC07 2016-11-03 [SC] [expires: 2017-06-01]
|
||||
Key fingerprint = D47B AB1B 7DC2 E262 A4F6 171E 8B1B 03FD 54E2 AC07
|
||||
uid [ full ] OpenStack Infra (Ocata Cycle) <infra-root@openstack.org>
|
||||
sub rsa2048/0x620133F3519A0343 2016-11-03 [E] [expires: 2017-06-01]
|
||||
sub rsa2048/0xB9069B1335700CDC 2016-11-03 [S]
|
||||
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQENBFgbrv4BCADK/pHoOwW+CVPYSJLjhMIOJ3Ef981pDw2TEL/t0L2L7cNYuYfc
|
||||
dx3G/kCZ0NBjHAXw6rkkFuGsXG6HDJ1TRKQTtdSqjFtI9/22xaGO6OE20BOQmhVF
|
||||
m8xnJ4ie9TpebH+y4OZqgKq7E9MByYZkqFWZZwpkmxUO5C+KuSIrZnyDUD+715Kr
|
||||
kmnpr1VAEP2IUA4dbvp4/DMDK6Ny7cptlxjwQbKTGIXRxMFNIzlQRDS3Ex6eiW2N
|
||||
kX2nHCn4BBffNB2PhUBsuF3hEEOT2nIj91NUKY8DvGm5m3mgxz1BgUJ4nelTMedy
|
||||
wXyL8HVUMMjdT8OUagjXyyymo0UK4RIDdLJ1ABEBAAG0OE9wZW5TdGFjayBJbmZy
|
||||
YSAoT2NhdGEgQ3ljbGUpIDxpbmZyYS1yb290QG9wZW5zdGFjay5vcmc+iQE+BBMB
|
||||
AgAoBQJYG67+AhsDBQkBFNsABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCL
|
||||
GwP9VOKsB1edCACxTMc11C9gB2O0BCX5TKx4ViwtSOGDdJD5T+6Qbj1b/LSUN6JQ
|
||||
XmU4JP43bwUZjv/8zbtZ9Sn38YVa3wZ3UvtsZRQhYGq2fJnBndneQZ8dyHj8Y8+J
|
||||
itYYSkNJK9nMjetlPHwSzHkxLRnKZoQGfJv5cI26MlYdp2XUt70oUM+757MEVSSJ
|
||||
tolPdplmHvCnBBj4gR6tnu6sEdR7Fg9Q07qbwTFNGD+gT/APv1q5bZZOj9Y4XXZw
|
||||
Y0490q/Fn1xa+tbfYcU2GEgUIBI92V++ScFQH6FLcAfBa9hN2M2QDZ05aV5yTtBY
|
||||
2Hj+Cy32fPQsZdynd4inoAYzkf6hdHShqq3xuQENBFgbrv4BCACpKJJ2PauppygP
|
||||
9hFCV0MFXh55Oi4gqjw5cf3ZyF+wkFIyQzaho/FXLQXaJ+6CtJKqvE/QxipZgQ9o
|
||||
oKTnnG8cRYXUJ8dOpK10gSxCGZ+rI0pDvJOc5XJ1bDufGA+G4SeUfLSkNCz6oalr
|
||||
LGfFcwrr+czZNwN3dyArRw7jv089BfPc/hYdEHn4z6l+EzVJCSbHsphlDOiuVXxm
|
||||
InJ2r/JvZCdCvXDF4q9EzOiq/Ev3A/MPySeJODuftY4fM8cO7ZK+jB6zTz95Zmfs
|
||||
APeouwmtI4h6PvatobXPgcLSolam+Crw7WIkWxp//iQxWK1o67SFjCfeIIGBQE9u
|
||||
Gp1zUj6lABEBAAGJASUEGAECAA8FAlgbrv4CGwwFCQEU2wAACgkQixsD/VTirAen
|
||||
xwgAru49L1NxWSWwOyPNb4tyRwtzVHZKXPTTuRlUR2lc1n8/xWUl9cred3gf8fIM
|
||||
t20EV6q6U7C04EZ6pQ7tdj1r78TSR41T2NVcbJuI2GrKpKq/m0SiP2ngPUsMbs0z
|
||||
GN0wOfzGapONyeR/xKEBDxLtX8RZ4QvWsSlV/8jADAHJk1oOUOyxNPJIXpccVvJW
|
||||
om5Ds5P2KODkr4JuXEWRH5E0NqdWItCEZgsWy0N3OKI474XI1HFjbKLAUTBI6Mub
|
||||
9NGt9SjhS7TouhyzUv4TNfdnzbNlKxZRalwlOJTzIV1hN5slNbDZnmJRBHwc4IYh
|
||||
b1SH6qcjlECFqSyJKgQy1FNfE7kBDQRYG7DGAQgAzWKOz8aH1EorzHBXs9A5c9WN
|
||||
2nDb9Mwrxmxhl2vQBY1xRa8S51vDWsnLYEI2UdZmEm6cPaF7MYRbvjv0sE6+2OU5
|
||||
JAfm5RJxo+zZgLvCRwelQquTebTH51nu4npLVaa7WdPbL6cjnRR2L8O7o9dHGqSi
|
||||
iKnd3aLyXA66xenb6p4Z5tGk4A/iLm9pK1aP99h4RsIqNsRL3He7thnWL2sdEFL9
|
||||
mRqTwUKVyNW8EbN/agFlJKovoDABZ/hT13QDk8eRSpYfgcu7GaDPI1rzJiv8gYbD
|
||||
+2cGKw1KyANxeg+6FV3r0veSuG7WSpl1qjT19xz4kh29KN2uGjzcp1tnH3f13wAR
|
||||
AQABiQI+BBgBAgAJBQJYG7DGAhsCASkJEIsbA/1U4qwHwF0gBBkBAgAGBQJYG7DG
|
||||
AAoJELkGmxM1cAzcipIIAIP9d+NwVFJNl+Vs1G47BJRSuCi/nUkJETF6do6wvIqO
|
||||
Wfk/jy7o0BPbuhge63yvNbNQZphO9kkIeyHSR+Traor7sxfuRvOXK5oD+ayimeKl
|
||||
H2IX6Ls4bAm3LTg6v9iwylgcv6Zieydljtsw+RRzdIZJDTKvxjkrHHsi5WZGzzTH
|
||||
Nt3za6g21agcOt9ZAe3hHAF65+zOm5Fas9nAV/IFqMNLHcjH9ZmB4+fupaCcMrPb
|
||||
uFR1t0I6Udt3vab5/xf0nG2c9NUj8rzVYkS7gWVdxbhCBNW6cr1y/W4b7epi5eZZ
|
||||
FBLyiXy1ttizTZ3g0E5oLYfge69lxpolSSU0++eTbxqHcgf/ahzLYoH1Y0eKmZ18
|
||||
k/9uwOKLW/2geey8K5a6XdC0lB8t6XCDz2XD+KVZMge1xgcKDGptc3xj/hjf+1yH
|
||||
X78yqnK1+DNooBxyvtQZPOOQ3bIrzSsjs0jFJxt6XMF0seegZtd2V1CM6TmQQs8g
|
||||
dFhiXGN7O9XbdhbxWEflY8HCG6MqwhFkf34YVe9KXy+hoAC7Ej+rjB0pDzz723tg
|
||||
ogtZJaL3dfACaXdO8fCy/3bmvPa/g2Ams8fsPxNNa0TojtJzV/IDwL4gD13EWuCY
|
||||
nGy6YecLNvkugznb5oWBkwx6Vkhm+C9Y8oEP+3OTGh/jxZwrZrFZAkLQ6kEKphyV
|
||||
A5imSQ==
|
||||
=UUHw
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
Reference in New Issue
Block a user