[openstack-dev] [osc][python-openstackclient] osc-included image signing

Josephine Seifert josephine.seifert at secustack.com
Thu Jun 28 13:04:55 UTC 2018


Sorry, I wrote partially german in my last mail. Here is the english
version ;)

> Go ahead and post WIP reviews and we can look at it further.  To merge
> I'll want all of the usual tests, docs, release notes, etc but don't
> wait if that is not all done up front.
Here are the two WIP reviews:

cursive: https://review.openstack.org/#/c/578767/
osc: https://review.openstack.org/#/c/578769/

On our setup the following tests succeeded:

1.A) Generate Private and Public Key without password

openssl genrsa -out image_signing_key.pem 4096
openssl rsa -pubout -in image_signing_key.pem -out image_signing_pubkey.pem

1.B) Generate Private and Public Key with password

export PASSWORD="my-little-secret"
openssl genrsa -aes256 -passout pass:$PASSWORD -out
image_signing_key.pem 4096
openssl rsa -pubout -in image_signing_key.pem -passin pass:$PASSWORD
-out image_signing_pubkey.pem

2.) generate Public Key certificate 

openssl rsa -pubout -in image_signing_key.pem -out image_signing_pubkey.pem
openssl req -new -key image_signing_key.pem -out image_signing_cert_req.csr
openssl x509 -req -days 365 -in image_signing_cert_req.csr -signkey
image_signing_key.pem -out image_signing_cert.crt

3.) upload certificate to Barbican

openstack secret store --name image-signing-cert --algorithm RSA
--expiration 2020-01-01 --secret-type certificate --payload-content-type
"application/octet-stream" --payload-content-encoding base64 --payload
"$(base64 image_signing_cert.crt)"

4.) sign & upload image to Glance

openstack image create --sign
key-path=image_signing_key.pem,cert-id=$CERT_UUID --container-format
bare --disk-format raw --file $IMAGE_FILE $IMAGE_NAME


__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list