We have a request (
) to setup ssl cert
pinning for ostree deliverables. It's also been a long wishlist item
to have that for rpm deliverables too. Unfortunately there's a bunch of
moving parts here that we need to sort out before we can move this
First some background/info:
currently uses a valid digisign cert. It
needs this because browsers download from it directly, our builders
download from it directly, etc.
* pkgs/koji currently use certs signed by the Fedora Koji CA (which
expires in 2024). This is currently needed by koji to do builds and
the upload cgi for lookaside.
* We are hoping to deploy soon a pair of freeipa servers in production
that get information from fas and allow us to issue kerberos tickets.
koji can already authenticate via this method.
* There's an outstanding ticket about having a verified way to get
Questions we need to figure out:
* Are we going to retire/replace the koji CA? My thought was yes, but I
think Dennis wasn't on board with this. Can anyone who wants to save
it speak up? :)
* The upload cgi would need to auth with kerberos and sigul would need
to auth with kerberos for this to work.
* If we are not completely retiring the koji CA, are we replacing it?
* Is ostree going to stay distributed at kojipkgs ? Or is it going to
move somewhere else? we should figure out the final place for it
before we go setting up cert pinning.
* The simple way to do pinning is for the application(s) to include a
hard coded list of valid certs. I guess this would require changes in
librepo and somewhere in ostree?
* The complex way to do pinning would be to setup
For this we would need to get backup keys for our cert(s) that are
used for this and setup webservers to send the right headers. This
would also need (more complex) changes in librepo and/or somewhere in
ostree. This would also optionally get us reports of violations.