Versions Compared

Old Version 4

changes.mady.by.user Amy Zwarico

Saved on

compared with

New Version Current

changes.mady.by.user Amy Zwarico

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Nexus 3 Maven artifacts, Docker containers, are produced by ONAP, but there is currently no signing process for these artifacts. The LF is working on signing Nexus 3 Maven artifacts.

Casablanca ONAP Signing Process

Continue using the existing Beijing ONAP signing process to sing sign Nexus2 Maven Artifacts. Sign Casablanca Docker containers using the LF Nexus 3 Maven artifact signing process if it is available in time.

Signing Artifacts Released Outside of the Normal Release Cycle

In case a new built has to be released (even for a minor bug), the release will have a new version and will need to go through LF to be signed and released in Nexus Release repo.

Private Key Handling

The ONAP signing key is stored on a Yubikey token which is under then control of the LF Release Engineer.

Future Key Protections


To get ONAP moved to using sigul the staging jobs in use must be updated to use the global-jjb based jobs and must move off of the custom staging jobs that the ONAP community developed before global-jjb was in production. LF will only support sigul protection of signing keys via our standardized jobs.

OpenDaylight (ODL) Signing Process

...

A project produces a staging repository in Nexus. When the project is ready to release they contact the ODL Helpdesk with the staging repo and version of the software they wish to release. Helpdesk then performs the following: 

1. Takes the staging repo and signs all the artifacts in there producing a 2nd staging repo containing the signatures

...