GPG sign notes & git tags

From Yocto Project
Revision as of 22:30, 7 June 2024 by MichaelHalstead (talk | contribs) (Create docs for release signing practices)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Release notes are reviewed by the Yocto Project TSC, the release manager, and the infrastructure lead before signing.

Git tags are saved as part of the build process. They are reviewed by the release manager, and the infrastructure lead before signing.

Artefacts themselves are not signed. They are not intended to run outside of testing and exist primarily to show what was tested.

Tags and release notes in for the Yocto Project are signed with a dedicated build and release GPG key. This key is available from Yocto Project and kernel.org. Primary key fingerprint: 2AFB 13F2 8FBB B0D1 B9DA F630 87EB 3D32 FB63 1AD9. This key is signed by the previous release key and the infrastructure lead.

The key itself was generated on an air-gapped machine using a LiveCD downloaded from the Fedora Linux project and properly verified. The signing subkeys were transferred to a pair of Yubikey hardware tokens. One for the release engineer and one for the infrastructure lead. Since then the Yocto Project has only used these openpgp smartcards for signing git tags and release notes. 


To verify release notes
curl -O https://downloads.yoctoproject.org/releases/yocto/keys/yocto-release-key.asc
gpg --import yocto-release-key.asc
curl -O https://downloads.yoctoproject.org/releases/yocto/yocto-5.0/RELEASENOTES
gpg --verify RELEASENOTES

To verify git tags in the poky repo
curl -O https://downloads.yoctoproject.org/releases/yocto/keys/yocto-release-key.asc
gpg --import yocto-release-key.asc
git clone https://git.yoctoproject.org/poky
cd poky
git tag --verify yocto-5.0
Retrieved from "https://wiki.yoctoproject.org/wiki/index.php?title=GPG_sign_notes_%26_git_tags&oldid=86350"