How do we verify trust in user-maintained OSTree remotes?

I maintain an XFCE OSTree variant of Fedora called Xfice. I host the remote on my server at Index of /xfice-desktop/. The OSTree is built with GitHub’s CI, and I have a Python script that periodically fetches the built repository archive and then serves it via NGINX.

The issue is that, for all any potential users know, the repo served via NGINX that they add with ostree remote add could contain malicious files, as there is nothing that guarantees that what gets built on GitHub is the same thing being served with NGINX. If I understand correctly, this is where the ostree gpg-sign command is useful. So what I want to do is implement gpg signing, but I cannot find any documentation on how to do this with a GitHub workflow.

I can’t answer your question directly, but do you have a reason for not producing it in Fedora’s infrastructure (e.g if you’re including packages we can’t distribute)? If it’s possible, it’d be great to have you work on this within Fedora.

1 Like

Yes, I have a repository at pagure.io and submitted a pull request to workstation-ostree-config upstream. :slight_smile: There were some issues on it that I think I fixed and some outstanding questions about including certain packages vs. comps groups.

I was also wondering about this. There was even this thread with a poll for naming of a project like this over here, but seems it was never picked up? Introducing Fedora Silverblue XFCE, LXQt, i3-wm - #7 by andilinux

1 Like

I did find this, but I am not familiar with GitHub’s CI to implement the same thing there. Automated GPG signing in RPM-OSTree-Engine v0.4.0 | Open Alchemist

I chose Xf-Ice for the name, but I’d be happy with whatever the community collectively decides in the spirit of Silverblue, Kinoite, etc. :slight_smile: It looks like the trend is to use a silver/blueish mineral with a name that begins with the same letter as the DE/WM.

It’s all a question of trust. Nothing can prevent you or GitHub from modifying the content that will end up in the ostree repository.