Skip to content

fix: remove embedded Red Hat signing keys, use official download URLs #98

Description

@butler54

Problem

Red Hat GPG and sigstore public keys are embedded directly in the codebase:

  1. trustee-chart: templates/gpg-public-key-secret.yaml and templates/sigstore-key-secret.yaml contain hardcoded key material in Kubernetes Secret templates. These Secrets are created unconditionally but are not consumed — they are not added to kbsSecretResources and no active security policy references them.

  2. coco-pattern: keys/SIGSTORE-redhat-release3 is a key file checked into the repo. The values-secret.yaml.template also contains a base64-encoded copy of the sigstore key inline in the security policy JSON.

Signing keys should not be embedded in source control. They should be fetched from Red Hat's official distribution URLs at install time.

Current State

Required Changes

trustee-chart

  • Delete templates/gpg-public-key-secret.yaml (orphaned Secret)
  • Delete templates/sigstore-key-secret.yaml (orphaned Secret)

coco-pattern

  • Delete keys/SIGSTORE-redhat-release3 (embedded key file)
  • Update Makefile to download keys from official Red Hat URLs:
    • Sigstore: https://www.redhat.com/security/data/63405576.txt
    • GPG: https://access.redhat.com/security/data/fd431d51.txt
  • Update values-secret.yaml.template to dynamically inject sigstore key into security policy JSON from the cached download (currently base64-hardcoded)
  • Remove the redhat-secure-gpg policy definition (GPG path requires HTTP lookaside support that doesn't exist in image-rs)

When signing enforcement is unblocked

  • Add sigstore key Secret back to kbsSecretResources in trustee-chart (fetched via ESO from Vault, not embedded)
  • Add make cache-keys as a documented prerequisite before make install when using signed policies
  • Template the keyData field in the sigstore security policy to read from the user's local key cache

Official Key URLs

Key URL Fingerprint
Sigstore (release key 3) https://www.redhat.com/security/data/63405576.txt 4096R/E60D446E63405576
GPG (release key 2) https://access.redhat.com/security/data/fd431d51.txt fd431d51
Verification https://access.redhat.com/security/team/key/

Related

🤖 Generated with Claude Code

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions