Decrypt ospkg (!241) · Merge requests · system-transparency / core / stboot

erikhagopian requested to merge erikhagopian/stboot:decrypt-ospkg into main Dec 17, 2024

Implementation for "Proposal to add support for decrypting an OS package" (2024-12-17-decrypt-ospkg.md).

Add support for decrypting an OS package, including its associated descriptor, which has been encrypted by the "age" (https://github.com/FiloSottile/age) encryption tool, by using "age" as a new, direct dependency. Decryption is applied on the descriptor and the OS package archive, directly after fetching them, producing new and unencrypted archives that can be processed as usual.

The feature can be considered as an additional layer of transport encryption and applies only to OS packages and descriptors that are fetched over the network.

Add support for providing an "age" identity file using the X25519 recipient type format (https://github.com/C2SP/C2SP/blob/main/age.md#the-x25519-recipient-type) with file name /etc/trust_policy/decryption_identities in the initramfs to enable the feature.

Edited Jan 08, 2025 by erikhagopian

Decrypt ospkg

Merge request reports