GPG 2.0.x is past its EOL; our current cot-gpg-keys solution is high maintenance and can only be properly tested on puppetized scriptworkers. Moving to a more modern signature algorithm and a set of known public keys, without a web of trust, will improve both of these situations.

We should:

• add ed25519 cot signature support to generic-worker.
• deprecate gpg support; once all 3 worker implementations are uploading signed ed25519 cot artifacts, we'll drop gpg support across the board.
• leave chainOfTrust.json.asc alone, until we drop gpg support
• create and upload two new artifacts: an unsigned chain-of-trust.json, and an ed25519 signature chain-of-trust.json.sig.

Ideally, I'd like to get the solutions in all 3 worker implementations working before we roll out, to avoid churn. I'm signing up to write this patch, though I may need a hand with both generic-worker and golang questions.

See also: mozilla-releng/scriptworker#294, the discussion in mozilla-releng/scriptworker#293 (comment), and taskcluster/generic-worker#136 .

This was released! We'll need OCC configs + a new valid ed25519 key for level 3 workerTypes to fully resolve.

Released in generic-worker 12.0.0.

Aki, I've created bug 1524592 for the OCC rollout, so I'll close this bug, as I think the generic-worker part is done.

Awesome work! :-)