What:
Dovetail will provide a way to authenticate the integrity for both dovetail tool and report.
With this approach, dovetail generates a digital signature along with the plain-text report . Then the reviewer can use this signature to validate the integrity of the dovetail tool and the report.
Why:
The report in plain-text is vulnerable, can be easily modified during storage and transportation.
Reviewer needs to make sure that the report is generated by a validated tool from the release and its result can not be modified to remove a failure or something like that.
Users do not need to know or learn any details about this procedure.
How:
The whole authenticating workflow show as following:
1. OPNFV generates the key pairs for each release
2. dovetail uses this key to build a binary signature tool
3. dovetail generates a digest for both dovetail tool and report, then combine two digests into one, then sign the final digest
4. dovetail saves the report to a report file
5. upload report and signature to review
6. extract digest from signature
7. validate the integrity of dovetail tool and report