Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support trusting custom keys for custom bootstrap repositories. #38

Open
nuclearsandwich opened this issue Dec 23, 2020 · 2 comments
Open
Labels
enhancement New feature or request

Comments

@nuclearsandwich
Copy link
Collaborator

It's currently possible to specify a custom bootstrap repository URL and signing key ID but it the cookbook does not directly support trusting custom keys.

The workaround available right now is to add your own recipe to the run list which imports the appropriate key after this cookbook is run.

Before we add this feature I'd like to work with @cottsay to see if we can/should move all GPG usage into the gpg-vault user and manage both public and private keys there.

@cottsay
Copy link
Member

cottsay commented Dec 24, 2020

move all GPG usage into the gpg-vault user and manage both public and private keys there

I think the private keys for signing are already imported there so the remaining work is only to update the jenkins-agent user to start using the vault.

The way we're using the GPG agent, you can't actually share public keys. In fact, each user that accesses the vault must already have the public key that corresponds to the private key they wish to use. We could probably declare a common location to store public keys, but I don't think it can be done through the GPG vault's agent.

@nuclearsandwich
Copy link
Collaborator Author

Thanks for the context. It sounds like the repository user (jenkins-agent by default) should be the designated keeper of the public keys needed on the repository host and the gpg-vault user holds the private keys.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants