Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(New Key) Generating new PGP key for signing artifacts starting 3.0.0 with @opensearch.org email #5308

Open
peterzhuamazon opened this issue Feb 5, 2025 · 9 comments
Open

(New Key) Generating new PGP key for signing artifacts starting 3.0.0 with @opensearch.org email #5308

peterzhuamazon opened this issue Feb 5, 2025 · 9 comments
Assignees
@peterzhuamazon
Labels
release signing v3.0.0

Comments

@peterzhuamazon
Copy link
Member

peterzhuamazon commented Feb 5, 2025
edited
Loading

In the past years we are using the opensearch@amazon.com email to generate / renew PGP key that signs the artifacts.

There is also another key for rubygems here:

There is also a set of keys now just for terraform provider:

Starting from 3.0.0, we would like to generate a new PGP key with @opensearch.org email.

Some thoughts:

  • New key will switch from 1 year expiration of the sub-public key to every 5 years
  • Not sure if we want to keep the key activate for unlimited amount of time to avoid further renewal.
  • Possible email release@opensearch.org to replace opensearch@amazon.com? Welcome suggestions.
  • Renew the old key C5B7498965EFD1C2924BA9D539D319879310D3FC OpenSearch project <opensearch@amazon.com> as long as 2.x is still in maintenance mode, and expire after the maintenance window.
  • The old key will be compatible with 1.x/2.x artifacts verifications, but not 3.0.0. Similarly, the new key will be compatible with 3.x and above.
  • Rubygems is a different case so we can work on that later once main artifact key is generated and released alongside 3.0.0.

Thanks.
@peterzhuamazon peterzhuamazon self-assigned this Feb 5, 2025
@peterzhuamazon peterzhuamazon moved this from Backlog to In Progress in OpenSearch Engineering Effectiveness Feb 5, 2025
@peterzhuamazon peterzhuamazon moved this from 🆕 New to 🏗 In progress in Engineering Effectiveness Board Feb 5, 2025
@github-actions github-actions bot added the untriaged Issues that have not yet been triaged label Feb 5, 2025
@peterzhuamazon
Copy link
Member Author

Hi @getsaurabh02 @Pallavi-AWS @prudhvigodithi @gaiksaya @rishabh6788 @zelinh please share your thought about it.

Thanks.

@peterzhuamazon peterzhuamazon mentioned this issue Feb 5, 2025
Open
66 tasks
@peterzhuamazon
Copy link
Member Author

peterzhuamazon commented Feb 5, 2025
edited
Loading

Adding @tykeal @jmertic @reta on potential email choice for the new key:

  • release@opensearch.org
  • signing@opensearch.org
  • artifacts@opensearch.org
  • devops@opensearch.org
  • infra@opensearch.org
  • security@opensearch.org

Welcome suggestions.

Thanks!

@reta
Copy link
Contributor

reta commented Feb 5, 2025
edited
Loading

Adding @tykeal @jmertic @reta on potential email choice for the new key:

I kinda like release@opensearch.org option but I honestly don't really know if there are well established conventions there

@prudhvigodithi
Copy link
Member

A separate topic but related to signing, the existing terraform provider has its own managed key set. We should consider using the same new key set for all the OpenSearch artifacts including this provider. Since now the terraform provider along with HashiCorp registry its also part of OpenTofu registry once migrated we should update both the registries with the new key set.

@peterzhuamazon
Copy link
Member Author

A separate topic but related to signing, the existing terraform provider has its own managed key set. We should consider using the same new key set for all the OpenSearch artifacts including this provider. Since now the terraform provider along with HashiCorp registry its also part of OpenTofu registry once migrated we should update both the registries with the new key set.

Hi @prudhvigodithi which part of the code is having that public key?
And do we need to upload the key to opentofu as well? (I think there is an related issue last time?)

Thanks.

@peterzhuamazon
Copy link
Member Author

peterzhuamazon commented Feb 5, 2025
edited
Loading

Adding @tykeal @jmertic @reta on potential email choice for the new key:

I kinda like release@opensearch.org option but I honestly don't really know if there are well established convetions there

I think I also saw devops@something.com or similar, maybe infra@opensearch.org can also be a choice here, or even security@.

I do see things like rvm just use personal email for signing as well.

@prudhvigodithi
Copy link
Member

Hi @prudhvigodithi which part of the code is having that public key? And do we need to upload the key to opentofu as well? (I think there is an related issue last time?)

Thanks.

Here is the code link Peter using GH secrets to sign and release the provider and yes the public key is uploaded to opentofu and haschicorp registries, so the provider is validated during initialization.
Thanks

@peterzhuamazon
Copy link
Member Author

We will use release@opensearch.org since there is no strong opinion on this.

Thanks.

@krisfreedain krisfreedain removed the untriaged Issues that have not yet been triaged label Feb 24, 2025
@krisfreedain
Copy link
Member

Catch All Triage - 1 2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@peterzhuamazon peterzhuamazon

Labels
release signing v3.0.0
Projects
Engineering Effectiveness Board
Status: 🏗 In progress
OpenSearch Engineering Effectiveness
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
4 participants
@reta @krisfreedain @prudhvigodithi @peterzhuamazon