missing public key that we can use to verify OKD release downloads

[dustymabe]

The most recent release page (4.17.0-okd-scos.0) mentions:

To verify the contents of this directory, use the 'gpg' and 'shasum' tools

but I can't find any public key uploaded somewhere to do that verification..

We need to make this available. It would probably be good to have it be distributed by another avenue other than GitHub; i.e. maybe https://okd.io/ ?

[Prashanth684]

the gpg key used to sign releases resides in the mass open cloud cluster which is used to build the releases. It makes sense to have this key be publicly available. @JaimeMagiera thoughts on where it should reside? we should bring this topic up in the next community meeting.

[JaimeMagiera]

I have some thoughts, but let's bring it up in the meeting to give everyone a chance to chime in. Thanks for bringing this to our attention @dustymabe

[BeardOverflow]

A brief off-topic: there is a container signature verification mechanism that, alternatively, you can use.

See: https://github.com/okd-project/okd-release-pipeline/blob/main/base/tekton.dev/tasks/verify-release.yaml

Important note: Only works for registry.ci.openshift.org repository, not for quay.io mirror!

First, find the sha256 repo digest:

$ podman inspect registry.ci.openshift.org/origin/release-scos:4.17.0-okd-scos.2 | jq -r '.[0].RepoDigests[] | select(contains("registry.ci.openshift.org/origin/release-scos"))' | cut -d: -f2

86eae13f86908aa4673750f35a28a4aac124dd53c739c58379559cf3af03faff

$ oc adm release info registry.ci.openshift.org/origin/release-scos:4.17.0-okd-scos.2 | grep '^Digest' | cut -d: -f3

86eae13f86908aa4673750f35a28a4aac124dd53c739c58379559cf3af03faff

Before (public key not imported):

$ curl "https://storage.googleapis.com/openshift-ci-release/releases/signatures/openshift/release/sha256=86eae13f86908aa4673750f35a28a4aac124dd53c739c58379559cf3af03faff/signature-1" -o- | gpg -d

{
  "critical": {
    "type": "atomic container signature",
    "image": {
      "docker-manifest-digest": "sha256:86eae13f86908aa4673750f35a28a4aac124dd53c739c58379559cf3af03faff"
    },
    "identity": {
      "docker-reference": "quay.io/okd/scos-release:4.17.0-okd-scos.2"
    }
  },
  "optional": {
    "creator": "openshift release-controller",
    "timestamp": 1737391869
  }
}
gpg: Signature made Mon 20 Jan 2025 17:51:09 CET
gpg:                using RSA key FE526D8F6FEDC123BE219E45CF4B45E2071F0337
gpg: Can't check signature: No public key

Importing the public key

$ curl -Lv "https://raw.githubusercontent.com/openshift/cluster-update-keys/master/keys/verifier-public-key-openshift-ci-3" | gpg --import

gpg: key CF4B45E2071F0337: public key "openshift-ci-release-key (This key is used to sign releases from the OpenShift CI system) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

After (public key imported)

$ curl "https://storage.googleapis.com/openshift-ci-release/releases/signatures/openshift/release/sha256=86eae13f86908aa4673750f35a28a4aac124dd53c739c58379559cf3af03faff/signature-1" -o- | gpg -d

{
  "critical": {
    "type": "atomic container signature",
    "image": {
      "docker-manifest-digest": "sha256:86eae13f86908aa4673750f35a28a4aac124dd53c739c58379559cf3af03faff"
    },
    "identity": {
      "docker-reference": "quay.io/okd/scos-release:4.17.0-okd-scos.2"
    }
  },
  "optional": {
    "creator": "openshift release-controller",
    "timestamp": 1737391869
  }
}
gpg: Signature made Mon 20 Jan 2025 17:51:09 CET
gpg:                using RSA key FE526D8F6FEDC123BE219E45CF4B45E2071F0337
gpg: Good signature from "openshift-ci-release-key (This key is used to sign releases from the OpenShift CI system) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: FE52 6D8F 6FED C123 BE21  9E45 CF4B 45E2 071F 0337

I don't know the context of this signature mechanism or if it will be valid in the future. I found it while searching for.