On Dienstag, 25. Juli 2017, 22:57:51 CEST wrote Santiago Torres: ...
1. We were envisioning the actual obs deployment to authenticate checkouts using an opensuse-held key and signing in-toto link metadata. Similar to how push-certs/tags/evtags work for git.
Projects have their own keys usually, so it may make sense to use these instead of a global key (which exists also)?
2. Likewise, it'd be good to authenticate builds/packages that were produced with obs (in the same way it is done today). We were thinking that this would be possible to add as an output option for a build result. It could be as simple as using our wrapper to wrap the rpmbuild step on the obs scripts folder as a first stab at the issue.
you could have a buildtime source service which is processing the sources before running rpmbuild. Please note that files like spec files might still get modified during build here. http://openbuildservice.org/help/manuals/obs-reference-guide/cha.obs.source_...
3. We agree that probably integrating in-toto signing for link metadata on the developer side may be easier to do using an osc plugin. Is there a repository for such plugins? or how are they usually distributed?
Usually each plugin has it's own repository. The factory maintainers have this one for example: https://github.com/openSUSE/osc-plugin-factory -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org