Add documentation for signing artifacts #2382
Conversation
Signed-off-by: Sayali Gaikawad <gaiksaya@amazon.com>
README.md
Outdated
| Windows code signing uses EV (Extended Validated) code signing certificates. | ||
|
|
||
|
|
||
| **MacOS:** |
There was a problem hiding this comment.
Our signing workflow doesn't support signing for MacOS at this time but the signer client does.
There was a problem hiding this comment.
I think @prudhvigodithi is working on adding it. In that case I'll remove everything related to macos for now. We can add back when we add macos signing functionality
Signed-off-by: Sayali Gaikawad <gaiksaya@amazon.com>
README.md
Outdated
| | RPM | SHA512 | RSA | 4096 | | ||
|
|
||
|
|
||
| **Signing RPM artifacts:** |
There was a problem hiding this comment.
Also for RPM artifacts signing, I think we only signing them via jenkins signArtifacts library, which is not related to our internal signer client. Should we also include it here?
Or we could separate this from PGP or windows signing (which uses signer client) cause in line 128 you say "We use the client for all types of signing"
WDYT? cc. @peterzhuamazon
There was a problem hiding this comment.
Signing RPM artifacts is a different category I have added that it is yet to be integrated with signer client in the description.
README.md
Outdated
| @@ -125,12 +125,33 @@ See [src/test_workflow](./src/test_workflow) for more information. | |||
|
|
|||
| #### Signing Artifacts | |||
|
|
|||
| The signing step takes the manifest file created from the build step and signs all its component artifacts using a tool called `opensearch-signer-client` (in progress of being open-sourced). The input requires a path to the build manifest and is expected to be inside the artifacts directory with the same directories mentioned in the build step. | |||
| For all types of Signing within OpenSearch project we use `opensearch-signer-client` (in progress of being open-sourced) which is a wrapper around internal signing system and is only available for authenticated users. The input requires a path to the build manifest or directory containing all the artifacts or a single artifact. The tool currently supports following platforms for signing. | |||
|
|
||
| Usage: |
There was a problem hiding this comment.
It says above ".. supports the following platforms for signing" but then has usage. Split the paragraph above into usage and platforms.
README.md
Outdated
| ```bash | ||
| ./sign.sh builds/opensearch/manifest.yml | ||
| ``` | ||
|
|
||
| **PGP**: |
There was a problem hiding this comment.
Make these ##### sections, so they appear in TOC
README.md
Outdated
| ```bash | ||
| ./sign.sh builds/opensearch/manifest.yml | ||
| ``` | ||
|
|
||
| **PGP**: | ||
|
|
||
| Anything can be signed using PGP signing eg: tarball, any type of file, etc. A .sig file will be returned containing the signature. OpenSearch and OpenSearch dashboards distributions, components such as data prepper, etc as well as maven artifacts are signed using PGP signing. You can see how to verify the signatures by visiting the opensearch website (https://opensearch.org/verify-signatures.html). |
There was a problem hiding this comment.
Link opensearch website - I would say See [this page](https://opensearch.org/verify-signatures.html) for how to verify signatures.
README.md
Outdated
|
|
||
| **Windows:** | ||
|
|
||
| Windows signing can be used to sign windows executables such as .msi, .msp, .msm, .cab, .dll, .exe, .appx, .appxbundle, .msix, .msixbundle, .sys, .vxd, .ps1, .psm1, and any PE file that is supported by Signtool.exe (https://docs.microsoft.com/en-us/dotnet/framework/tools/signtool-exe). Various windows artifacts such as SQL OBDC, opensearch-cli, etc are signed using this method. |
README.md
Outdated
|
|
||
|
|
||
| **Signing RPM artifacts:** | ||
| We have an issue (https://github.com/opensearch-project/opensearch-build/issues/1547) open to add RPM signing functionality to the above signing system. However, temporarily we are signing the RPM artifacts via shell script which uses a macros template (https://github.com/opensearch-project/opensearch-build/blob/main/scripts/pkg/sign_templates/rpmmacros). More details in this commit (https://github.com/opensearch-project/opensearch-build/commit/950d55c1ed3f82e98120541fa40ff506338c1059). Currently we are only signing OpenSearch and OpenSearch dashboards RPM distribution using this method. |
There was a problem hiding this comment.
Generally avoid using "we".
You can say "RPMs are signed ..." and "See issue X ... for
|
@dblock Addressed all the comment. Please re-review. Thanks! |
README.md
Outdated
| | RPM | SHA512 | RSA | 4096 | | ||
|
|
||
|
|
||
| ### Signing RPM artifacts: |
There was a problem hiding this comment.
Super nit: these titles don’t need : and Should be Capitalized
Signed-off-by: Sayali Gaikawad gaiksaya@amazon.com
Description
Adds documentation for signing artifacts
Issues Resolved
resolves #1502
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.