This repository has been archived by the owner on Jul 30, 2020. It is now read-only.
Implement collection artifact signing #278
Labels
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Feature Request
Implement collection artifact signing.
(This is #201 split into two parts, one for chksum validation and this one for signature support.)
Use Case
What problem does this feature solve? Please describe.
Currently, there is no way to verify who created an ansible collection artifact. There is a detached sha256sum of the artifact calculated and included on 'mazer publish', but that does not provide any crypto signatures (ie, a detached GPG signature).
Common practice for package and payload management tools is to provide a way for the artifact create to cryptographically sign the artifacts. Typically, this is optional, but verification can be enforced at package install time (or for a tool like galaxy, when the artifact is uploaded to publish).
Currently, mazer supports neither signing any artifact signature.
Proposed Solution
More than likely, something GPG based. Thats the most commonly used approached.
Drawbacks: crypto is hard
Alternatives
Implementation
Likely emulate the workflow used by tools like dpkg,rpm,pip/pypi, etc.
The text was updated successfully, but these errors were encountered: