twoliter
twoliter copied to clipboard
bottlerocket-os
refine kit and artifact signing design
The design doc in #3 is not very specific about how kit containers (and their RPMs) will be signed. Refine this design and update the design doc.
Originally it said this:
Kit Signing
In order to satisfy self-signing requirements, Kit RPMs will need to be GPG-signed. The kit will be distributed with the GPG public key, which means we need the container to also be signed. Existing container-signing mechanisms will be made available.
