Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switching signing of artefacts to LF id #6332

Open
planetf1 opened this issue Mar 18, 2022 · 3 comments
Open

Switching signing of artefacts to LF id #6332

planetf1 opened this issue Mar 18, 2022 · 3 comments
Assignees
@mandy-chessell @lpalashevski
Labels
build-improvement Build improvements - maven, gradle, GitHub actions cross-project Apply to many repositories in odpi/* github Actions, repository moves, admin pinned Keep open (do not time out) security Security related (high priority)

Comments

@planetf1
Copy link
Member

Currently I sign the release artefacts. This was needed in lieu of a LF process to perform this signing as part of a github action.

The LF have now completed the prep work to enable signing in a github action environment

Opening issue to track the switch over to LF signing ids
@planetf1 planetf1 self-assigned this Mar 18, 2022
@planetf1 planetf1 added the build-improvement Build improvements - maven, gradle, GitHub actions label Mar 18, 2022
@planetf1
Copy link
Member Author

See https://jira.linuxfoundation.org/browse/RELENG-3387 (restricted)

@github-actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the no-issue-activity Issues automatically marked as stale because they have not had recent activity. label May 18, 2022
@planetf1 planetf1 added pinned Keep open (do not time out) and removed no-issue-activity Issues automatically marked as stale because they have not had recent activity. labels May 23, 2022
@planetf1 planetf1 added github Actions, repository moves, admin security Security related (high priority) labels Aug 24, 2022
@planetf1 planetf1 added the cross-project Apply to many repositories in odpi/* label Dec 5, 2022
@planetf1
Copy link
Member Author

As a short term fix, I suggest you may wish the pipelines to be signed by @mandy-chessell or @lpalashevski

Github secrets are used to store - see https://egeria-project.org/guides/contributor/release-process/secrets/?h=secrets with secrets beginning OSSRH_GPG

Some useful docs on creating a GPG key can be found at https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key

GPG can be installed on macos via homebrew

The long term fix is to work with the LF on migrating to their new signing process, but this will take some refactoring of the pipelines.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mandy-chessell mandy-chessell

@lpalashevski lpalashevski

Labels
build-improvement Build improvements - maven, gradle, GitHub actions cross-project Apply to many repositories in odpi/* github Actions, repository moves, admin pinned Keep open (do not time out) security Security related (high priority)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@planetf1 @mandy-chessell @lpalashevski