You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to be able to verify images and other artifacts downloaded using a Flatcar system. Currently, this requires fetching the signing key from the internet. However, presumably the update engine is verifying images. It would be very helpful to have access to the same key instead of downloading a separate copy, as it would be both secure and convenient.
Impact
It makes writing scripts (eg the one in #21) easier and more secure.
Ideal future situation
The signing key is available in a documented and stable location.
Implementation options
/etc/flatcar/Flatcar_Image_Signing_Key.asc
The text was updated successfully, but these errors were encountered:
Thanks, sounds like a good idea - so far the key was part of the flatcar-install script only.
In the mean time you can extract it there: GPG_KEY=$(tr '\n' '_' < /usr/bin/flatcar-install | grep -Po 'GPG_KEY="\K.*?(?=")' | tr '_' '\n')
The update-engine key is currently separate and only used for the update payloads, you can find it under /usr/share/update_engine/update-payload-key.pub.pem. I hope that one day this is a single key to avoid the confusion between signing images and updates.
Current situation
I would like to be able to verify images and other artifacts downloaded using a Flatcar system. Currently, this requires fetching the signing key from the internet. However, presumably the update engine is verifying images. It would be very helpful to have access to the same key instead of downloading a separate copy, as it would be both secure and convenient.
Impact
It makes writing scripts (eg the one in #21) easier and more secure.
Ideal future situation
The signing key is available in a documented and stable location.
Implementation options
/etc/flatcar/Flatcar_Image_Signing_Key.asc
The text was updated successfully, but these errors were encountered: