CII Silver and Gold badges require all release artifacts be cryptographically signed [signed_releases].

The project MUST cryptographically sign releases of the project results intended for widespread use, and there MUST be a documented process explaining to users how they can obtain the public signing keys and verify the signature(s). The private key for these signature(s) MUST NOT be on site(s) used to directly distribute the software to the public.

Beijing ONAP Signing Process

ONAP leverages the LF signing process to sign all Nexus 2 Maven ONAP artifacts.

1. When a the PTL determines that an artifact is ready to sign, The PTL emails the LF helpdesk with the name of the Nexus 2 Maven artifact to be signed
2. The LF helpdesk downloads the artifact from the staging repository, signs the artifact using the LF private key stored on a USB, and pushes the signed artifact to the release repository.

Nexus 3 Maven artifacts, Docker containers, are produced by ONAP, but there is currently no signing process for these artifacts. The LF is working on signing Nexus 3 Maven artifacts.

Casablanca ONAP Signing Process

Continue using the existing Beijing ONAP signing process to sign Nexus2 Maven Artifacts. Sign Casablanca Docker containers using the LF Nexus 3 Maven artifact signing process if it is available in time.

Signing Artifacts Released Outside of the Normal Release Cycle

In case a new built has to be released (even for a minor bug), the release will have a new version and will need to go through LF to be signed and released in Nexus Release repo.

Private Key Handling

The ONAP signing key is stored on a Yubikey token which is under then control of the LF Release Engineer.

Future Key Protections

To get ONAP moved to using sigul the staging jobs in use must be updated to use the global-jjb based jobs and must move off of the custom staging jobs that the ONAP community developed before global-jjb was in production. LF will only support sigul protection of signing keys via our standardized jobs.

OpenDaylight (ODL) Signing Process

In the OpenDaylight project, project artifacts are signed by a release engineer. The release process is described here:

https://docs.opendaylight.org/en/latest/release-process/project-release.html

A project produces a staging repository in Nexus. When the project is ready to release they contact the ODL Helpdesk with the staging repo and version of the software they wish to release. Helpdesk then performs the following:

1. Takes the staging repo and signs all the artifacts in there producing a 2nd staging repo containing the signatures

2. Release both the artifact and  signatures to the release repository.