Setup notation signing keys

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2026-02-14 10:19:52 +00:00 · 2024-02-25 12:10:06 +02:00
parent 0d2c428859
commit 24405a5a5d
6 changed files with 60 additions and 23 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -23,3 +23,6 @@ bin/
 cue/cue.mod/gen/
 cue/go.mod
 cue/go.sum
+
+.notation/podinfo.csr
+.notation/podinfo.key
--- a/.notation/README.md
+++ b/.notation/README.md
@@ -0,0 +1,15 @@
+# Podinfo signed releases
+
+Podinfo release assets such as the Helm chart and the Flux artifact
+are published to GitHub Container Registry and are signed with
+[Notation](https://github.com/notaryproject/notation).
+
+## Generate signing keys
+
+Generate a new signing key pair:
+
+```sh
+openssl genrsa -out podinfo.key 2048
+openssl req -new -key podinfo.key -out podinfo.csr -config codesign.cnf
+openssl x509 -req -days 1826 -in podinfo.csr -signkey podinfo.key -out notation.crt -extensions v3_req -extfile codesign.cnf
+```
--- a/.notation/codesign.cnf
+++ b/.notation/codesign.cnf
@@ -0,0 +1,18 @@
+[ req ]
+default_bits           = 2048
+default_keyfile        = privatekey.pem
+distinguished_name     = req_distinguished_name
+req_extensions         = v3_req
+prompt                 = no
+
+[ req_distinguished_name ]
+C                      = RO
+ST                     = BU
+L                      = Bucharest
+O                      = Notary
+CN                     = stefanprodan.com
+
+[ v3_req ]
+keyUsage               = critical,digitalSignature
+extendedKeyUsage       = critical,codeSigning
+#subjectKeyIdentifier  = hash
--- a/.notation/notation.crt
+++ b/.notation/notation.crt
@@ -1,20 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIIDWjCCAkKgAwIBAgIUBk/7TYVIUsiCeUm5c11abfwMrZUwDQYJKoZIhvcNAQEL
-BQAwUTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0dGxl
-MQ8wDQYDVQQKDAZOb3RhcnkxEjAQBgNVBAMMCWZsdXhjZC5pbzAeFw0yMzEyMDcw
-NDIwNDhaFw0yNDEyMDYwNDIwNDhaMFExCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJX
-QTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwGTm90YXJ5MRIwEAYDVQQDDAlm
-bHV4Y2QuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCx1hpkMmSD
-rlyjjL8UYaciLBmMtwbpFUcejDgKSSKAqHGtTPrzSHrza1oFybyjwkG7SlbR6k23
-fuWTIz7gVjx+rEmbnJuAnzhGCES4TY+dPO/svhuAT9iGVlJ4TKuPXFO53c+GKY+t
-AJoWO04uzVbZsCNPlYmKoq3XvaMc3bnn2APr9xb7aHqF7LggqWe7GeKQEJvEdBYZ
-m1KLKym6+pqnEDSPENUVGMYKQwQHNmpVz6y+HdvuR4AQxHrHGvDxo+G7GIjrDe8l
-cW4PurFAbv3yLLvpC4ZkppPLuVv7p0kUwy1sSeWVu7uxZ/MPGqI2HSMctDbAvGLj
-bPY+rkVf3+4ZAgMBAAGjKjAoMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAK
-BggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAO2TSX5ewQXidW14UzhjNKTXt
-Yc8O6qMGNlv2PuCWT9k0ce6qC7s2XYAbvEWYNAS/fwdFC6cJMT/6/Y3s/zbFNrAH
-TMJTmGKZvtJnWywcCOg+HcRrLIpExJB1bAaTUW+oea9ABiitMeUEY6oiBGqacPeA
-4eVoDQ8wVS8oNHx71fmC9G6iNHaBTip3x81j0koz3JhHf1Mc3gKN56ww1RF/LMEa
-NW473dG/8pkuFOp6kuz775/EKBNuYfR6bEYx9zPNIpYAzVsveTnXTHsec3xkUoCQ
-xtfR15R8dfbvNFB1iFiew6oiBQ5Wz9abB0PU7b/pE21SjT1+lBKJ9xmMOzFwag==
+MIIDbDCCAlSgAwIBAgIUP7zhmTw5XTWLcgBGkBEsErMOkz4wDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCUk8xCzAJBgNVBAgMAkJVMRIwEAYDVQQHDAlCdWNoYXJl
+c3QxDzANBgNVBAoMBk5vdGFyeTEZMBcGA1UEAwwQc3RlZmFucHJvZGFuLmNvbTAe
+Fw0yNDAyMjUxMDAyMzZaFw0yOTAyMjQxMDAyMzZaMFoxCzAJBgNVBAYTAlJPMQsw
+CQYDVQQIDAJCVTESMBAGA1UEBwwJQnVjaGFyZXN0MQ8wDQYDVQQKDAZOb3Rhcnkx
+GTAXBgNVBAMMEHN0ZWZhbnByb2Rhbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDtH4oPi3SyX/DGv6NdjIvmApvD9eeSgsmHdwpAly8T9D2me+fx
+Z+wRNJmq4aq/A1anX+Sg28iwHzV+1WKpsHnjYzDAJSEYP2S8A5H1nGRKUoibdijw
+C3QBh5C75rjF/tmZVSX/Vgbf3HJJEsF4WUxWabLxoV2QLo7UlEsQd9+bSeKNMncx
+1+E6FdbRCrYo90iobvZJ8K/S2zCWq/JTeHfTnmSEDhx6nMJcaSjvMPn3zyauWcQw
+dDpkcaGiJ64fEJRT2OFxXv9u+vDmIMKzo/Wjbd+IzFj6YY4VisK88aU7tmDelnk5
+gQB9eu62PFoaVsYJp4VOhblFKvGJpQwbWB9BAgMBAAGjKjAoMA4GA1UdDwEB/wQE
+AwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEA
+6x+C6hAIbLwMvkNx4K5p7Qe/pLQR0VwQFAw10yr/5KSN+YKFpon6pQ0TebL7qll+
+uBGZvtQhN6v+DlnVqB7lvJKd+89isgirkkews5KwuXg7Gv5UPIugH0dXISZU8DMJ
+7J4oKREv5HzdFmfsUfNlQcfyVTjKL6UINXfKGdqNNxXxR9b4a1TY2JcmEhzBTHaq
+ZqX6HK784a0dB7aHgeFrFwPCCP4M684Hs7CFbk3jo2Ef4ljnB5AyWpe8pwCLMdRt
+UjSjL5xJWVQvRU+STQsPr6SvpokPCG4rLQyjgeYYk4CCj5piSxbSUZFavq8v1y7Y
+m91USVqfeUX7ZzjDxPHE2A==
 -----END CERTIFICATE-----
--- a/.notation/signingkeys.json
+++ b/.notation/signingkeys.json
@@ -1,8 +1,8 @@
 {
-    "default": "fluxcd.io",
+    "default": "stefanprodan.com",
    "keys": [
        {
-            "name": "fluxcd.io",
+            "name": "stefanprodan.com",
            "keyPath": "/home/runner/.config/notation/localkeys/notation.key",
            "certPath": "/home/runner/.config/notation/localkeys/notation.crt"
        }
--- a/.notation/trustpolicy.json
+++ b/.notation/trustpolicy.json
@@ -2,7 +2,7 @@
    "version": "1.0",
    "trustPolicies": [
        {
-            "name": "fluxcd.io",
+            "name": "stefanprodan.com",
            "registryScopes": [
                "ghcr.io/stefanprodan/podinfo-deploy",
                "ghcr.io/stefanprodan/charts/podinfo"
@@ -10,9 +10,9 @@
            "signatureVerification": {
                "level" : "strict"
            },
-            "trustStores": [ "ca:fluxcd.io" ],
+            "trustStores": [ "ca:stefanprodan.com" ],
            "trustedIdentities": [
-                "x509.subject: C=US, ST=WA, L=Seattle, O=Notary, CN=fluxcd.io"
+                "x509.subject: C=RO, ST=BU, L=Bucharest, O=Notary, CN=stefanprodan.com"
            ]
        }
    ]