Cryptographic Signing of ONAP Artifacts ONAP Seccom Cryptographic

  • Slides: 3
Download presentation
Cryptographic Signing of ONAP Artifacts ONAP Seccom

Cryptographic Signing of ONAP Artifacts ONAP Seccom

Cryptographic Signing for ONAP Release Artifacts CII Silver and Gold badges require all release

Cryptographic Signing for ONAP Release Artifacts CII Silver and Gold badges require all release artifacts be cryptographically signed [signed_releases]. The project MUST cryptographically sign releases of the project results intended for widespread use, and there MUST be a documented process explaining to users how they can obtain the public signing keys and verify the signature(s). The private key for these signature(s) MUST NOT be on site(s) used to directly distribute the software to the public. • Beijing ONAP Signing Process - ONAP leverages the LF signing process to sign all Nexus 2 Maven ONAP artifacts. The PTL emails the LF helpdesk with the name of the Nexus 2 Maven artifact to be signed The LF helpdesk downloads the artifact from the staging repository, signs the artifact using the LF private key stored on a USB, and pushes the signed artifact to the release repository. NOTE: Signing process for Nexus 3 Maven artifacts and Docker containers is Work in Progress. • Casablanca ONAP Signing Process - Continue using the existing Beijing ONAP signing process to sign Nexus 2 Maven Artifacts. Sign Casablanca Docker containers using the LF Nexus 3 Maven artifact signing process if it is available in time. • Signing Artifacts Released Outside of the Normal Release Cycle - In case a new built has to be released (even for a minor bug), the release will have a new version and will need to go through LF to be signed and released in Nexus Release repo. • Open. Daylight (ODL) Signing Process - In the Open. Daylight project, project artifacts are signed by a release engineer. The release process is described here. A project produces a staging repository in Nexus. When the project is ready to release they contact the ODL Helpdesk with the staging repo and version of the software they wish to release. Helpdesk then performs the following: 1. Takes the staging repo and signs all the artifacts in there producing a 2 nd staging repo containing the signatures 2. Release both the artifact and signatures to the release repository.

s Thank you! 3

s Thank you! 3

ONAP item API Security Warsaw seccom F 2ONAP item API Security Warsaw seccom F 2
Secure Communications between x NFs and ONAP SECCOMSecure Communications between x NFs and ONAP SECCOM