As of now, signatures are completely external to the release — we sign the image file when we build it, so that everyone can verify the integrity of downloaded files.
However, it's impossible to verify that an installed system was created from a signed image. Since VyOS uses an immutable SquashFS image in installations, it's very much possible to do.
There are two possible options I see:
- Sign the SquashFS image file and place the signature in /boot on installation.
- Sign the version.json file and place the signature inside the SquashFS image.
Those options are not mutually exclusive. Signed version.json is easier to verify for a user, but only signing the entire image protects is from modification. We may want to do both.
It's also a question whether we should introduce a new subtree like verify or add the command to the show subtree, like:
run show system image integrity <minisign public key>