...
With this approach, dovetail generates a digital signature along with the plain-text report . Then the reviewer can use this signature to validate the integrity of the dovetail tool and the report.
Why:
The report in plain-text is vulnerable, can be easily modified during storage and transportation.
Reviewer need needs to make sure that the report is generated by a validated tool from the release and its result can not be modified to remove a failure or something like that.
Users do not need to know or learn any details about this procedure.
How:
The whole authenticating workflow show as following:
1. OPNFV generates the key pairs for each release
2. dovetail uses this key to build a binary signature tool
3. dovetail generates a digest for both dovetail tool and report, then combine two digests into one, then sign the final digest
4. dovetail saves the report to a report file
5. upload report and signature to review
6. extract digest from signature
7. validate the integrity of dovetail tool and report
:
1. proposal for container security:
Temporary test results in container can be modified as well, we can improve this by following:
1) the upstream project to do authentication on themselves
2) setup a database, and the database is dedicated for dovetail results, people with no permit can not access the database
3) use the REST API of FUNCTEST/YARDSTICK with SSL to make sure that these results are just existing in secured transportation and saved to db, and then no one can touch them.
Remark: It is optional to upload the result to remote db. When user want to "dry run" the test, then all results will be stored locally. So it's convenient for users to adjust/modify their platform for a better result.