Atomic: OSTree Signatures

##Scope

• Every new commit has a signature
• The system will only download a commit if the signature is trusted (or if signature checking is disabled)
• Display in the list of foward/rollback. Show signature info
• Attach a new, trusted, ssh-key
• It should be clear to the administrator why something is unsigned
• Good signature vs. Bad signature - Signed or Unsigned

Notes

• Trello page
• OSTree documentation
• HOWTO: GPG sign and verify RPM packages and yum repositories

Stories

Workflows

Prior art

• Yast
• Aptitude
• Firefox
• OSTree CLI tool

Wireframes

Feedback