[RFE] Include the image signing key in an accessible place in every system

[neilmayhew]

Current situation

I would like to be able to verify images and other artifacts downloaded using a Flatcar system. Currently, this requires fetching the signing key from the internet. However, presumably the update engine is verifying images. It would be very helpful to have access to the same key instead of downloading a separate copy, as it would be both secure and convenient.

Impact

It makes writing scripts (eg the one in #21) easier and more secure.

Ideal future situation

The signing key is available in a documented and stable location.

Implementation options

/etc/flatcar/Flatcar_Image_Signing_Key.asc

[pothos]

Thanks, sounds like a good idea - so far the key was part of the flatcar-install script only.
In the mean time you can extract it there: GPG_KEY=$(tr '\n' '_' < /usr/bin/flatcar-install | grep -Po 'GPG_KEY="\K.*?(?=")' | tr '_' '\n')

[neilmayhew]

Thanks! I knew it must be somewhere but I didn't think of checking the install script.

Does the update engine verify signatures, too? If so, I assume the key isn't as easily extracted because it's a compiled binary rather than a script.

[pothos]

The update-engine key is currently separate and only used for the update payloads, you can find it under /usr/share/update_engine/update-payload-key.pub.pem. I hope that one day this is a single key to avoid the confusion between signing images and updates.

[neilmayhew]

I see. Thanks for clarifying.