PackageCloud Repository Metadata Signing Keys
Packagecloud, the application that powers packages.gitlab.com, supports two different types of GPG signatures: packages and repository metadata.
This document covers PackageCloud-specific implementation details for managing repository metadata signing keys. For the generic process, see manage repository metadata signing keys. For package signing, see manage package signing keys.
Overview
Section titled “Overview”Packagecloud signs repository metadata using a private key that is either generated by Packagecloud or generated externally and configured in the app. This is a security feature that gives our users certainty that the repository metadata was generated by us.
We manage the key externally by providing the private key to Packagecloud using a Kubernetes secret. This secret is synced from Vault, which is ultimately where the key lives and where any changes need to take place.
Key Location
Section titled “Key Location”The private key lives in Vault under the path k8s/ops-gitlab-gke/packagecloud/gpg.
PackageCloud-Specific Process
Section titled “PackageCloud-Specific Process”This process should be carried out by a member of the Distribution team.
See manage repository metadata signing keys for the generic process steps. The following are PackageCloud-specific implementation details:
1. Request Access
Section titled “1. Request Access”- System(s): Okta Group Membership
- System Name:
Okta Group: Team - Distribution - Packagecloud Repository Metadata Signing Key - Justification: Temporary group membership required to update the Packagecloud repository metadata signing key in Vault.
2. Generate or Extend GPG Key
Section titled “2. Generate or Extend GPG Key”If extending an existing key, you can obtain the current private key from https://vault.gitlab.net by navigating to k8s/ops-gitlab-gke/packagecloud/gpg. If you see an access denied message, reach out to #it_help to confirm you were added to the correct group.
PackageCloud Deployment Steps
Section titled “PackageCloud Deployment Steps”After completing the generic steps 1-2, follow these PackageCloud-specific deployment steps:
3. Update Key in System
Section titled “3. Update Key in System”Update Vault Secret
Section titled “Update Vault Secret”- Open https://vault.gitlab.net and sign-in using Okta.
- Navigate to the path:
k8s/ops-gitlab-gke/packagecloud/gpg. - Click on Create new version.
- Update the value of
private_keywith the contents of your exported private key. - Click Save.
- Take note of the
versionnumber (displayed next to Create new version). You’ll need this for the next step.
Update gitlab-helmfiles
Section titled “Update gitlab-helmfiles”Update the gitlab-helmfiles repository with the new secret version:
- Update the version number to the new version from the previous step:
- Update
secretNameto match: Line 64 - File an MR with the above changes and have someone in
#infrastructure-loungereview/approve/merge it.
4. Validate Deployment
Section titled “4. Validate Deployment”Once the gitlab-helmfiles CI pipeline has finished, validate the deployment:
$ curl -s https://packages.gitlab.com/gpg.key | gpg --show-keypub rsa4096 2020-03-02 [SC] [expires: 2024-03-01] F6403F6544A38863DAA0B6E03F01618A51312F3Fsub rsa4096 2020-03-02 [E] [expires: 2024-03-01]Verify that the fingerprint and expiry date match your new or extended key.
Complete the Generic Process
Section titled “Complete the Generic Process”After validation, continue with the remaining steps in the generic runbook: