I maintain an XFCE OSTree variant of Fedora called Xfice. I host the remote on my server at Index of /xfice-desktop/. The OSTree is built with GitHub’s CI, and I have a Python script that periodically fetches the built repository archive and then serves it via NGINX.
The issue is that, for all any potential users know, the repo served via NGINX that they add with ostree remote add could contain malicious files, as there is nothing that guarantees that what gets built on GitHub is the same thing being served with NGINX. If I understand correctly, this is where the ostree gpg-sign command is useful. So what I want to do is implement gpg signing, but I cannot find any documentation on how to do this with a GitHub workflow.
I can’t answer your question directly, but do you have a reason for not producing it in Fedora’s infrastructure (e.g if you’re including packages we can’t distribute)? If it’s possible, it’d be great to have you work on this within Fedora.
Yes, I have a repository at pagure.io and submitted a pull request to workstation-ostree-config upstream. There were some issues on it that I think I fixed and some outstanding questions about including certain packages vs. comps groups.
I chose Xf-Ice for the name, but I’d be happy with whatever the community collectively decides in the spirit of Silverblue, Kinoite, etc. It looks like the trend is to use a silver/blueish mineral with a name that begins with the same letter as the DE/WM.