From 74805e75ca678926d64ca3f928c120a2c23b3794 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Wed, 21 Aug 2024 10:59:33 +0300 Subject: [PATCH 01/12] Repo import by @jku Signed-off-by: Jussi Kukkonen --- metadata/registry.npmjs.org.json | 14 ++- metadata/root.json | 123 +++++++++++----------- metadata/root_history/10.root.json | 157 +++++++++++++++++++++++++++++ metadata/targets.json | 33 +++--- 4 files changed, 239 insertions(+), 88 deletions(-) create mode 100644 metadata/root_history/10.root.json diff --git a/metadata/registry.npmjs.org.json b/metadata/registry.npmjs.org.json index 95385760..81a1ac11 100755 --- a/metadata/registry.npmjs.org.json +++ b/metadata/registry.npmjs.org.json @@ -1,17 +1,13 @@ { "signatures": [ { - "keyid": "3b60e337a003f0465d881e34051b1350f0041b931bd68d95ce2066c81d36de1b", - "sig": "3046022100af26e7c415a1d724ace269d9498a83daadde0b55f155a4c95b431764bab85b7b02210091f5ae0acfe832cd71ba8249d784208ea265f7d103f6a0c92f75aeb939b9be33" - }, - { - "keyid": "a89d235ee2f298d757438c7473b11b0b7b42ff1a45f1dfaac4c014183d6f8c45", - "sig": "3046022100af26e7c415a1d724ace269d9498a83daadde0b55f155a4c95b431764bab85b7b02210091f5ae0acfe832cd71ba8249d784208ea265f7d103f6a0c92f75aeb939b9be33" + "keyid": "fa6bb9bb553e568b85a0dc66bd36eeccb1625304ff30428bca79abedaef1632a", + "sig": "" } ], "signed": { "_type": "targets", - "expires": "2024-09-12T06:13:15Z", + "expires": "2025-02-19T07:59:33Z", "spec_version": "1.0", "targets": { "registry.npmjs.org/keys.json": { @@ -22,6 +18,8 @@ "length": 1017 } }, - "version": 3 + "version": 4, + "x-tuf-on-ci-expiry-period": 182, + "x-tuf-on-ci-signing-period": 31 } } \ No newline at end of file diff --git a/metadata/root.json b/metadata/root.json index 7cca2eb1..2236904c 100755 --- a/metadata/root.json +++ b/metadata/root.json @@ -1,52 +1,32 @@ { "signatures": [ { - "keyid": "ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c", - "sig": "30450221008b78f894c3cfed3bd486379c4e0e0dfb3e7dd8cbc4d5598d2818eea1ba3c7550022029d3d06e89d04d37849985dc46c0e10dc5b1fc68dc70af1ec9910303a1f3ee2f" + "keyid": "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", + "sig": "" }, { - "keyid": "25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99", - "sig": "30450221009e6b90b935e09b837a90d4402eaa27d5ea26eb7891948ba0ed7090841248f436022003dc2251c4d4a7999b91e9ad0868765ae09ac7269279f2a7899bafef7a2d9260" + "keyid": "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", + "sig": "" }, { - "keyid": "f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f", - "sig": "30440220099e907dcf90b7b6e109fd1d6e442006fccbb48894aaaff47ab824b03fb35d0d02202aa0a06c21a4233f37900a48bc8777d3b47f59e3a38616ce631a04df57f96736" + "keyid": "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", + "sig": "" }, { - "keyid": "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e", - "sig": "30450221008b78f894c3cfed3bd486379c4e0e0dfb3e7dd8cbc4d5598d2818eea1ba3c7550022029d3d06e89d04d37849985dc46c0e10dc5b1fc68dc70af1ec9910303a1f3ee2f" + "keyid": "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", + "sig": "" }, { - "keyid": "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e", - "sig": "30450221009e6b90b935e09b837a90d4402eaa27d5ea26eb7891948ba0ed7090841248f436022003dc2251c4d4a7999b91e9ad0868765ae09ac7269279f2a7899bafef7a2d9260" - }, - { - "keyid": "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523", - "sig": "304502200e5613b901e0f3e08eceabddc73f98b50ddf892e998d0b369c6e3d451ac48875022100940cf92d1f43ee2e5cdbb22572bb52925ed3863a688f7ffdd4bd2e2e56f028b3" - }, - { - "keyid": "2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de", - "sig": "304502202cff44f2215d7a47b28b8f5f580c2cfbbd1bfcfcbbe78de323045b2c0badc5e9022100c743949eb3f4ea5a4b9ae27ac6eddea1f0ff9bfd004f8a9a9d18c6e4142b6e75" - }, - { - "keyid": "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849", - "sig": "30440220099e907dcf90b7b6e109fd1d6e442006fccbb48894aaaff47ab824b03fb35d0d02202aa0a06c21a4233f37900a48bc8777d3b47f59e3a38616ce631a04df57f96736" - }, - { - "keyid": "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f", - "sig": "304502202cff44f2215d7a47b28b8f5f580c2cfbbd1bfcfcbbe78de323045b2c0badc5e9022100c743949eb3f4ea5a4b9ae27ac6eddea1f0ff9bfd004f8a9a9d18c6e4142b6e75" - }, - { - "keyid": "7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b", - "sig": "304502200e5613b901e0f3e08eceabddc73f98b50ddf892e998d0b369c6e3d451ac48875022100940cf92d1f43ee2e5cdbb22572bb52925ed3863a688f7ffdd4bd2e2e56f028b3" + "keyid": "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70", + "sig": "" } ], "signed": { "_type": "root", "consistent_snapshot": true, - "expires": "2024-09-12T06:53:10Z", + "expires": "2025-02-19T07:59:33Z", "keys": { - "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849": { + "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06": { "keyid_hash_algorithms": [ "sha256", "sha512" @@ -55,9 +35,10 @@ "keyval": { "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzBzVOmHCPojMVLSI364WiiV8NPrD\n6IgRxVliskz/v+y3JER5mcVGcONliDcWMC5J2lfHmjPNPhb4H7xm8LzfSA==\n-----END PUBLIC KEY-----\n" }, - "scheme": "ecdsa-sha2-nistp256" + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@santiagotorres" }, - "230e212616274a4195cdc28e9fce782c20e6c720f1a811b40f98228376bdd3ac": { + "354c3d2d4fe1622a380037f6173f23337899e6e4e28d4187a9664a67d0a5be83": { "keyid_hash_algorithms": [ "sha256", "sha512" @@ -66,99 +47,111 @@ "keyval": { "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELrWvNt94v4R085ELeeCMxHp7PldF\n0/T1GxukUh2ODuggLGJE0pc1e8CSBf6CS91Fwo9FUOuRsjBUld+VqSyCdQ==\n-----END PUBLIC KEY-----\n" }, - "scheme": "ecdsa-sha2-nistp256" + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@-replace-me-with-timestamp-key" }, - "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e": { + "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222": { "keyid_hash_algorithms": [ "sha256", "sha512" ], "keytype": "ecdsa", "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEy8XKsmhBYDI8Jc0GwzBxeKax0cm5\nSTKEU65HPFunUn41sT8pi0FjM4IkHz/YUmwmLUO0Wt7lxhj6BkLIK4qYAw==\n-----END PUBLIC KEY-----\n" + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEinikSsAQmYkNeH5eYq/CnIzLaacO\nxlSaawQDOwqKy/tCqxq5xxPSJc21K4WIhs9GyOkKfzueY3GILzcMJZ4cWw==\n-----END PUBLIC KEY-----\n" }, - "scheme": "ecdsa-sha2-nistp256" + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@bobcallaway" }, - "923bb39e60dd6fa2c31e6ea55473aa93b64dd4e53e16fbe42f6a207d3f97de2d": { + "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3": { "keyid_hash_algorithms": [ "sha256", "sha512" ], "keytype": "ecdsa", "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWRiGr5+j+3J5SsH+Ztr5nE2H2wO7\nBV+nO3s93gLca18qTOzHY1oWyAGDykMSsGTUBSt9D+An0KfKsD2mfSM42Q==\n-----END PUBLIC KEY-----\n" + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEy8XKsmhBYDI8Jc0GwzBxeKax0cm5\nSTKEU65HPFunUn41sT8pi0FjM4IkHz/YUmwmLUO0Wt7lxhj6BkLIK4qYAw==\n-----END PUBLIC KEY-----\n" }, - "scheme": "ecdsa-sha2-nistp256" + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@dlorenc" }, - "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523": { + "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c": { "keyid_hash_algorithms": [ "sha256", "sha512" ], "keytype": "ecdsa", "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEinikSsAQmYkNeH5eYq/CnIzLaacO\nxlSaawQDOwqKy/tCqxq5xxPSJc21K4WIhs9GyOkKfzueY3GILzcMJZ4cWw==\n-----END PUBLIC KEY-----\n" + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWRiGr5+j+3J5SsH+Ztr5nE2H2wO7\nBV+nO3s93gLca18qTOzHY1oWyAGDykMSsGTUBSt9D+An0KfKsD2mfSM42Q==\n-----END PUBLIC KEY-----\n" }, - "scheme": "ecdsa-sha2-nistp256" + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-online-uri": "gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp" }, - "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e": { + "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70": { "keyid_hash_algorithms": [ "sha256", "sha512" ], "keytype": "ecdsa", "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEXsz3SZXFb8jMV42j6pJlyjbjR8K\nN3Bwocexq6LMIb5qsWKOQvLN16NUefLc4HswOoumRsVVaajSpQS6fobkRw==\n-----END PUBLIC KEY-----\n" + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0ghrh92Lw1Yr3idGV5WqCtMDB8Cx\n+D8hdC4w2ZLNIplVRoVGLskYa3gheMyOjiJ8kPi15aQ2//7P+oj7UvJPGw==\n-----END PUBLIC KEY-----\n" }, - "scheme": "ecdsa-sha2-nistp256" + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@joshuagl" }, - "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f": { + "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2": { "keyid_hash_algorithms": [ "sha256", "sha512" ], "keytype": "ecdsa", "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0ghrh92Lw1Yr3idGV5WqCtMDB8Cx\n+D8hdC4w2ZLNIplVRoVGLskYa3gheMyOjiJ8kPi15aQ2//7P+oj7UvJPGw==\n-----END PUBLIC KEY-----\n" + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEXsz3SZXFb8jMV42j6pJlyjbjR8K\nN3Bwocexq6LMIb5qsWKOQvLN16NUefLc4HswOoumRsVVaajSpQS6fobkRw==\n-----END PUBLIC KEY-----\n" }, - "scheme": "ecdsa-sha2-nistp256" + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@mnm678" } }, "roles": { "root": { "keyids": [ - "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e", - "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e", - "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849", - "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523", - "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f" + "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", + "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", + "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", + "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", + "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70" ], "threshold": 3 }, "snapshot": { "keyids": [ - "230e212616274a4195cdc28e9fce782c20e6c720f1a811b40f98228376bdd3ac" + "354c3d2d4fe1622a380037f6173f23337899e6e4e28d4187a9664a67d0a5be83" ], - "threshold": 1 + "threshold": 1, + "x-tuf-on-ci-expiry-period": 182, + "x-tuf-on-ci-signing-period": 31 }, "targets": { "keyids": [ - "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e", - "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e", - "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849", - "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523", - "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f" + "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", + "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", + "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", + "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", + "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70" ], "threshold": 3 }, "timestamp": { "keyids": [ - "923bb39e60dd6fa2c31e6ea55473aa93b64dd4e53e16fbe42f6a207d3f97de2d" + "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c" ], - "threshold": 1 + "threshold": 1, + "x-tuf-on-ci-expiry-period": 182, + "x-tuf-on-ci-signing-period": 31 } }, "spec_version": "1.0", - "version": 9 + "version": 10, + "x-tuf-on-ci-expiry-period": 182, + "x-tuf-on-ci-signing-period": 31 } } \ No newline at end of file diff --git a/metadata/root_history/10.root.json b/metadata/root_history/10.root.json new file mode 100644 index 00000000..2236904c --- /dev/null +++ b/metadata/root_history/10.root.json @@ -0,0 +1,157 @@ +{ + "signatures": [ + { + "keyid": "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", + "sig": "" + }, + { + "keyid": "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", + "sig": "" + }, + { + "keyid": "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", + "sig": "" + }, + { + "keyid": "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", + "sig": "" + }, + { + "keyid": "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70", + "sig": "" + } + ], + "signed": { + "_type": "root", + "consistent_snapshot": true, + "expires": "2025-02-19T07:59:33Z", + "keys": { + "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06": { + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzBzVOmHCPojMVLSI364WiiV8NPrD\n6IgRxVliskz/v+y3JER5mcVGcONliDcWMC5J2lfHmjPNPhb4H7xm8LzfSA==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@santiagotorres" + }, + "354c3d2d4fe1622a380037f6173f23337899e6e4e28d4187a9664a67d0a5be83": { + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELrWvNt94v4R085ELeeCMxHp7PldF\n0/T1GxukUh2ODuggLGJE0pc1e8CSBf6CS91Fwo9FUOuRsjBUld+VqSyCdQ==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@-replace-me-with-timestamp-key" + }, + "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222": { + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEinikSsAQmYkNeH5eYq/CnIzLaacO\nxlSaawQDOwqKy/tCqxq5xxPSJc21K4WIhs9GyOkKfzueY3GILzcMJZ4cWw==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@bobcallaway" + }, + "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3": { + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEy8XKsmhBYDI8Jc0GwzBxeKax0cm5\nSTKEU65HPFunUn41sT8pi0FjM4IkHz/YUmwmLUO0Wt7lxhj6BkLIK4qYAw==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@dlorenc" + }, + "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c": { + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWRiGr5+j+3J5SsH+Ztr5nE2H2wO7\nBV+nO3s93gLca18qTOzHY1oWyAGDykMSsGTUBSt9D+An0KfKsD2mfSM42Q==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-online-uri": "gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp" + }, + "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70": { + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0ghrh92Lw1Yr3idGV5WqCtMDB8Cx\n+D8hdC4w2ZLNIplVRoVGLskYa3gheMyOjiJ8kPi15aQ2//7P+oj7UvJPGw==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@joshuagl" + }, + "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2": { + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEXsz3SZXFb8jMV42j6pJlyjbjR8K\nN3Bwocexq6LMIb5qsWKOQvLN16NUefLc4HswOoumRsVVaajSpQS6fobkRw==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@mnm678" + } + }, + "roles": { + "root": { + "keyids": [ + "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", + "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", + "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", + "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", + "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70" + ], + "threshold": 3 + }, + "snapshot": { + "keyids": [ + "354c3d2d4fe1622a380037f6173f23337899e6e4e28d4187a9664a67d0a5be83" + ], + "threshold": 1, + "x-tuf-on-ci-expiry-period": 182, + "x-tuf-on-ci-signing-period": 31 + }, + "targets": { + "keyids": [ + "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", + "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", + "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", + "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", + "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70" + ], + "threshold": 3 + }, + "timestamp": { + "keyids": [ + "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c" + ], + "threshold": 1, + "x-tuf-on-ci-expiry-period": 182, + "x-tuf-on-ci-signing-period": 31 + } + }, + "spec_version": "1.0", + "version": 10, + "x-tuf-on-ci-expiry-period": 182, + "x-tuf-on-ci-signing-period": 31 + } +} \ No newline at end of file diff --git a/metadata/targets.json b/metadata/targets.json index 8e88fdc3..009c8184 100755 --- a/metadata/targets.json +++ b/metadata/targets.json @@ -1,31 +1,31 @@ { "signatures": [ { - "keyid": "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e", - "sig": "30440220764f1edad367a55d340eb7a97c0c8f847c47fa3fd05cadf3e246ee8ced7e504002200ebe44b01d6f59a348041c3845dda0980754893ddc1a9c8bfaa98e6b1f0b4627" + "keyid": "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", + "sig": "" }, { - "keyid": "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e", - "sig": "304502202d4955e47ab4a6ba6aaaa372bf50084e3cea0149da09f28807285fa306af38ae022100947cb4f41332f3f3215b78ccb897177e122f3de7e682ac19f8f3c835bbdc75f4" + "keyid": "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", + "sig": "" }, { - "keyid": "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849", - "sig": "3045022015062f271a9cab84d5ffdbf878a42a4fc0754c1fa91822e38242af3546eaada8022100f0d766d4aca8ba675cf0b715104b765f81b4772cb53915db253fc437980e9e76" + "keyid": "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", + "sig": "" }, { - "keyid": "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523", - "sig": "3045022100cccbbbfa8a87a648f6cd18f881b6643bb2fcb5f812678af5f1ed676e574eae3902200faaf1083c5bc95471ba6d1c7da1d7fcbabfaa32cdc27c215ef9b58b4c3d41c0" + "keyid": "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", + "sig": "" }, { - "keyid": "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f", - "sig": "304402203161c4a74acc63ea50af6f78e32248366bad10d823fe38ca190780ca70cf1124022051dd0734f33253304a814e10e0387a82770ee6905ace85c03b645df1109a6b38" + "keyid": "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70", + "sig": "" } ], "signed": { "_type": "targets", "delegations": { "keys": { - "3b60e337a003f0465d881e34051b1350f0041b931bd68d95ce2066c81d36de1b": { + "fa6bb9bb553e568b85a0dc66bd36eeccb1625304ff30428bca79abedaef1632a": { "keyid_hash_algorithms": [ "sha256", "sha512" @@ -34,13 +34,14 @@ "keyval": { "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoLrh0jmOfHWLwsyo/4oGbldF91WV\nfXvxVlDhW8fZwP/3vTnliBkDp5sH8/Dpm1SBOHkqENVt1+4Un/sFtl2zAQ==\n-----END PUBLIC KEY-----\n" }, - "scheme": "ecdsa-sha2-nistp256" + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@-npm-signer" } }, "roles": [ { "keyids": [ - "3b60e337a003f0465d881e34051b1350f0041b931bd68d95ce2066c81d36de1b" + "fa6bb9bb553e568b85a0dc66bd36eeccb1625304ff30428bca79abedaef1632a" ], "name": "registry.npmjs.org", "paths": [ @@ -51,7 +52,7 @@ } ] }, - "expires": "2024-09-12T06:13:15Z", + "expires": "2034-08-19T07:59:33Z", "spec_version": "1.0", "targets": { "artifact.pub": { @@ -159,6 +160,8 @@ "length": 7014 } }, - "version": 9 + "version": 10, + "x-tuf-on-ci-expiry-period": 3650, + "x-tuf-on-ci-signing-period": 31 } } \ No newline at end of file From e7de4eca5d9928a605b3ebe36dfaf6e31874b106 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Wed, 21 Aug 2024 11:04:32 +0300 Subject: [PATCH 02/12] 'timestamp' role/delegation change Signed-off-by: Jussi Kukkonen --- metadata/root.json | 24 ++++++------------------ metadata/root_history/10.root.json | 24 ++++++------------------ 2 files changed, 12 insertions(+), 36 deletions(-) diff --git a/metadata/root.json b/metadata/root.json index 2236904c..eb04650b 100755 --- a/metadata/root.json +++ b/metadata/root.json @@ -24,7 +24,7 @@ "signed": { "_type": "root", "consistent_snapshot": true, - "expires": "2025-02-19T07:59:33Z", + "expires": "2025-02-19T08:04:32Z", "keys": { "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06": { "keyid_hash_algorithms": [ @@ -38,18 +38,6 @@ "scheme": "ecdsa-sha2-nistp256", "x-tuf-on-ci-keyowner": "@santiagotorres" }, - "354c3d2d4fe1622a380037f6173f23337899e6e4e28d4187a9664a67d0a5be83": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa", - "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELrWvNt94v4R085ELeeCMxHp7PldF\n0/T1GxukUh2ODuggLGJE0pc1e8CSBf6CS91Fwo9FUOuRsjBUld+VqSyCdQ==\n-----END PUBLIC KEY-----\n" - }, - "scheme": "ecdsa-sha2-nistp256", - "x-tuf-on-ci-keyowner": "@-replace-me-with-timestamp-key" - }, "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222": { "keyid_hash_algorithms": [ "sha256", @@ -124,11 +112,11 @@ }, "snapshot": { "keyids": [ - "354c3d2d4fe1622a380037f6173f23337899e6e4e28d4187a9664a67d0a5be83" + "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c" ], "threshold": 1, - "x-tuf-on-ci-expiry-period": 182, - "x-tuf-on-ci-signing-period": 31 + "x-tuf-on-ci-expiry-period": 3650, + "x-tuf-on-ci-signing-period": 365 }, "targets": { "keyids": [ @@ -145,8 +133,8 @@ "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c" ], "threshold": 1, - "x-tuf-on-ci-expiry-period": 182, - "x-tuf-on-ci-signing-period": 31 + "x-tuf-on-ci-expiry-period": 7, + "x-tuf-on-ci-signing-period": 4 } }, "spec_version": "1.0", diff --git a/metadata/root_history/10.root.json b/metadata/root_history/10.root.json index 2236904c..eb04650b 100644 --- a/metadata/root_history/10.root.json +++ b/metadata/root_history/10.root.json @@ -24,7 +24,7 @@ "signed": { "_type": "root", "consistent_snapshot": true, - "expires": "2025-02-19T07:59:33Z", + "expires": "2025-02-19T08:04:32Z", "keys": { "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06": { "keyid_hash_algorithms": [ @@ -38,18 +38,6 @@ "scheme": "ecdsa-sha2-nistp256", "x-tuf-on-ci-keyowner": "@santiagotorres" }, - "354c3d2d4fe1622a380037f6173f23337899e6e4e28d4187a9664a67d0a5be83": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa", - "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELrWvNt94v4R085ELeeCMxHp7PldF\n0/T1GxukUh2ODuggLGJE0pc1e8CSBf6CS91Fwo9FUOuRsjBUld+VqSyCdQ==\n-----END PUBLIC KEY-----\n" - }, - "scheme": "ecdsa-sha2-nistp256", - "x-tuf-on-ci-keyowner": "@-replace-me-with-timestamp-key" - }, "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222": { "keyid_hash_algorithms": [ "sha256", @@ -124,11 +112,11 @@ }, "snapshot": { "keyids": [ - "354c3d2d4fe1622a380037f6173f23337899e6e4e28d4187a9664a67d0a5be83" + "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c" ], "threshold": 1, - "x-tuf-on-ci-expiry-period": 182, - "x-tuf-on-ci-signing-period": 31 + "x-tuf-on-ci-expiry-period": 3650, + "x-tuf-on-ci-signing-period": 365 }, "targets": { "keyids": [ @@ -145,8 +133,8 @@ "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c" ], "threshold": 1, - "x-tuf-on-ci-expiry-period": 182, - "x-tuf-on-ci-signing-period": 31 + "x-tuf-on-ci-expiry-period": 7, + "x-tuf-on-ci-signing-period": 4 } }, "spec_version": "1.0", From b40335597f8373fa57faf34ff275a9867aa67974 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Fri, 7 Jun 2024 14:17:20 +0300 Subject: [PATCH 03/12] Enable tuf-on-ci workflows Note that deployment to GCS is still commented out in publish workflow. Signed-off-by: Jussi Kukkonen --- .github/workflows/create-signing-events.yml | 5 ++--- .github/workflows/online-sign.yml | 11 +++++------ .github/workflows/test-gcs.yml | 5 ++--- .github/workflows/test.yml | 5 ++--- 4 files changed, 11 insertions(+), 15 deletions(-) diff --git a/.github/workflows/create-signing-events.yml b/.github/workflows/create-signing-events.yml index 6dfce059..95c8c097 100644 --- a/.github/workflows/create-signing-events.yml +++ b/.github/workflows/create-signing-events.yml @@ -1,9 +1,8 @@ name: TUF-on-CI create Signing events on: - # disabled during migration - #schedule: - # - cron: '17 1,7,13,19 * * *' + schedule: + - cron: '17 1,7,13,19 * * *' workflow_dispatch: permissions: {} diff --git a/.github/workflows/online-sign.yml b/.github/workflows/online-sign.yml index 92d1c1f2..eed0c1bd 100644 --- a/.github/workflows/online-sign.yml +++ b/.github/workflows/online-sign.yml @@ -3,12 +3,11 @@ name: TUF-on-CI online signing permissions: {} on: - # disabled during migration - #schedule: - # - cron: '17 1,7,13,19 * * *' - #push: - # branches: [ main ] - # paths: ['metadata/**', '!metadata/timestamp.json', '!metadata/snapshot.json'] + schedule: + - cron: '17 1,7,13,19 * * *' + push: + branches: [main] + paths: ['metadata/**', '!metadata/timestamp.json', '!metadata/snapshot.json'] workflow_dispatch: jobs: diff --git a/.github/workflows/test-gcs.yml b/.github/workflows/test-gcs.yml index 4c1d7a08..93c2d9de 100644 --- a/.github/workflows/test-gcs.yml +++ b/.github/workflows/test-gcs.yml @@ -3,9 +3,8 @@ name: root-signing GCS repository tests on: workflow_call: workflow_dispatch: - # disabled during migration - #schedule: - # - cron: '17 4,10,16,22 * * *' + schedule: + - cron: '17 4,10,16,22 * * *' permissions: {} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 950da4ff..5e4ed003 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -3,9 +3,8 @@ name: TUF-on-CI repository tests on: workflow_call: workflow_dispatch: - # disabled during migration - #schedule: - # - cron: '17 4,10,16,22 * * *' + schedule: + - cron: '17 4,10,16,22 * * *' permissions: {} From 37904f32abfbe719048ba17f10688aa1a6b0c222 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Fri, 7 Jun 2024 14:31:37 +0300 Subject: [PATCH 04/12] workflows: Remove legacy workflows Delete legacy (meaning non- tuf-on-ci) * timestamp and snapshot workflows * GCS uploading workflows * signing event management workflows (dealing with "ceremony/" dirs) * various verification workflows: now handled by the tuf-on-ci tests and custom-test.yml Remove these outright to prevent accidental changes to metadata from two different maintenance systems. If it turns out the migration will not be successful in the timeframe it has, the PR that contains this commit needs to be reverted so the legacy system can continue operation. Signed-off-by: Jussi Kukkonen --- .github/workflows/cosign-test.yml | 48 ---- .github/workflows/delegation-pop-verify.yml | 54 ---- .github/workflows/initialize.yml | 161 ------------ .github/workflows/{ci-test.yml => lint.yml} | 54 +--- .github/workflows/release.yml | 86 ------- .../reuseable-snapshot-timestamp.yml | 234 ------------------ .../workflows/review-snapshot-timestamp.yml | 39 --- .github/workflows/scripts/dpop-wrapper.sh | 28 --- .github/workflows/scripts/e2e-utils.sh | 38 --- .../workflows/scripts/review-pull-request.sh | 70 ------ .../workflows/stable-snapshot-timestamp.yml | 105 -------- .github/workflows/stable-timestamp.yml | 99 -------- .../workflows/staging-snapshot-timestamp.yml | 44 ---- .github/workflows/sync-ceremony-to-main.yml | 74 ------ .../sync-main-to-preprod-and-prod.yml | 144 ----------- .github/workflows/sync-main-to-preprod.yml | 109 -------- .github/workflows/sync-preprod-to-prod.yml | 79 ------ .github/workflows/tuf_client_tests.yml | 100 -------- .github/workflows/validate.yml | 62 ----- 19 files changed, 1 insertion(+), 1627 deletions(-) delete mode 100644 .github/workflows/cosign-test.yml delete mode 100644 .github/workflows/delegation-pop-verify.yml delete mode 100644 .github/workflows/initialize.yml rename .github/workflows/{ci-test.yml => lint.yml} (50%) delete mode 100644 .github/workflows/release.yml delete mode 100644 .github/workflows/reuseable-snapshot-timestamp.yml delete mode 100644 .github/workflows/review-snapshot-timestamp.yml delete mode 100755 .github/workflows/scripts/dpop-wrapper.sh delete mode 100644 .github/workflows/scripts/e2e-utils.sh delete mode 100755 .github/workflows/scripts/review-pull-request.sh delete mode 100644 .github/workflows/stable-snapshot-timestamp.yml delete mode 100644 .github/workflows/stable-timestamp.yml delete mode 100644 .github/workflows/staging-snapshot-timestamp.yml delete mode 100644 .github/workflows/sync-ceremony-to-main.yml delete mode 100644 .github/workflows/sync-main-to-preprod-and-prod.yml delete mode 100644 .github/workflows/sync-main-to-preprod.yml delete mode 100644 .github/workflows/sync-preprod-to-prod.yml delete mode 100644 .github/workflows/tuf_client_tests.yml delete mode 100644 .github/workflows/validate.yml diff --git a/.github/workflows/cosign-test.yml b/.github/workflows/cosign-test.yml deleted file mode 100644 index fe792b58..00000000 --- a/.github/workflows/cosign-test.yml +++ /dev/null @@ -1,48 +0,0 @@ -# -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Cosign tests - -on: - workflow_dispatch: - push: - paths: - - 'repository/**' - pull_request: - -jobs: - validate: - env: - COSIGN_EXPERIMENTAL: "true" - runs-on: ubuntu-latest - steps: - # Install cosign - - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - - # Set up a repository server with python - - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 - with: - python-version: '3.x' - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 2 - - run: | - cd repository/repository/ - python -m http.server 8001 & - echo "REPO=http://localhost:8001" >> $GITHUB_ENV - - # Test cosign initialize - - name: cosign initialize on published repository - run: cosign initialize --mirror http://localhost:8001 diff --git a/.github/workflows/delegation-pop-verify.yml b/.github/workflows/delegation-pop-verify.yml deleted file mode 100644 index 50a43bb4..00000000 --- a/.github/workflows/delegation-pop-verify.yml +++ /dev/null @@ -1,54 +0,0 @@ -# -# Copyright 2023 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Verify POP for a delegation - -on: - pull_request: - branches: - - 'ceremony/**' - - 'test-ceremony/**' - - 'test-delegation/**' - -jobs: - verify: - if: ${{ startsWith(github.event.pull_request.title, 'feat/add-delegation for ') }} - runs-on: ubuntu-latest - permissions: - contents: 'write' - pull-requests: 'read' - env: - GITHUB_TOKEN: ${{ secrets.SIGSTORE_REVIEW_BOT_FINE_GRAINED_PAT }} - PR_NUMBER: ${{ github.event.pull_request.number }} - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - - name: Setup go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - - - name: Install deps - run: sudo apt-get install libpcsclite-dev - - - name: build - run: make tuf - - - name: Verify POP - run: .github/workflows/scripts/dpop-wrapper.sh "${{ github.event.pull_request.title }}" diff --git a/.github/workflows/initialize.yml b/.github/workflows/initialize.yml deleted file mode 100644 index 2280d1a6..00000000 --- a/.github/workflows/initialize.yml +++ /dev/null @@ -1,161 +0,0 @@ -# -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Stage a new root and targets on a new branch - -permissions: read-all - -# Execute this ONLY as workflow dispatch. -on: - workflow_dispatch: - inputs: - branch: - description: 'The branch to stage changes against, generally ceremony/YYYY-MM-DD' - required: true - type: string - revoke_key: - description: 'If provided, revokes the given HSM key, identified by the serial number' - required: false - type: string - repo: - description: 'The repository in which to stage a new root and targets' - required: false - default: repository - type: string - draft: - description: 'Use for testing; creates a draft pull request' - required: false - default: false - type: boolean - -jobs: - check_branch: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - name: Check if remote branch exists - env: - BRANCH: ${{ inputs.branch }} - run: | - branch_exists=$(git ls-remote --heads origin ${BRANCH}) - - if [[ -z ${branch_exists} ]]; then - echo "Staging root branch ${BRANCH} does not exist: has a maintainer created one?" - exit 1 - fi - - init_root: - runs-on: ubuntu-latest - needs: check_branch - permissions: - id-token: 'write' - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - # TODO(https://github.com/sigstore/root-signing/issues/98): Use a common configuration checked into source control - - name: setup environment - run: | - echo "GITHUB_USER=${{ github.actor }}" >> $GITHUB_ENV - echo "SNAPSHOT_KEY=gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/snapshot" >> $GITHUB_ENV - echo "TIMESTAMP_KEY=gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp" >> $GITHUB_ENV - echo "REPO=${{ inputs.repo }}" >> $GITHUB_ENV - echo "BRANCH=${{ inputs.branch }}" >> $GITHUB_ENV - # Note: we set LOCAL=1 because we manually push the changes in the next job. - echo "LOCAL=1" >> $GITHUB_ENV - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - # Setup OIDC->SA auth for signing with KMS - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 - id: auth - with: - token_format: 'access_token' - workload_identity_provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' - service_account: 'github-actions@sigstore-root-signing.iam.gserviceaccount.com' - create_credentials_file: true - - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - project_id: sigstore-root-signing - - name: Login - run: | - gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" - gcloud auth list - - # Initialize the new root and targets layout - - name: step 0 - # Note that we are already in a git repository and are manually pushing changes with the job below - # so we can simply build the TUF binary and bypass git setup in step 0. - run: | - sudo apt-get install libpcsclite-dev - go build -o tuf -tags=pivkey ./cmd/tuf - - name: step 1.5 - run: | - ./scripts/step-1.5.sh ${{ inputs.revoke_key }} - - name: Upload new repository - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 - with: - name: ${{ inputs.repo }} - path: ${{ inputs.repo }} - retention-days: 5 - - push: - needs: init_root - runs-on: ubuntu-latest - permissions: - pull-requests: 'write' - contents: 'write' - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.branch }} - fetch-depth: 0 - - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: ${{ inputs.repo }} - path: ${{ inputs.repo }} - # Detect new version and expiration to add to the PR description. - - name: Detect new version - env: - REPO: ${{ inputs.repo }} - run: | - # Detects the new root version. - VERSION=$(cat ${REPO}/staged/root.json | jq -r '.signed.version') - echo "VERSION=$VERSION" >> $GITHUB_ENV - - # Create commits - - name: Create commits - env: - REPO: ${{ inputs.repo }} - run: | - # Set identity. - git config --global user.email "noreply@github.com" - git config --global user.name "GitHub" - - git checkout -b init-root-targets - # Commit the REPO changes - git add ${REPO} - git commit -s -m "Add staged repository metadata" - git push origin HEAD - - # Open pull request changes. Use the fine-grained PAT in order to trigger presubmits. - - name: create pull request - env: - DRAFT: ${{ inputs.draft && '-d' || '' }} - run: - GH_TOKEN=${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }} gh pr create -B ${{ inputs.branch }} -H init-root-targets -t "Update Root and Targets to version ${{ env.VERSION }}" -b "Initializes a new root and targets to version ${{ env.VERSION }}" ${DRAFT} -r bobcallaway -r haydentherapper -r kommendorkapten diff --git a/.github/workflows/ci-test.yml b/.github/workflows/lint.yml similarity index 50% rename from .github/workflows/ci-test.yml rename to .github/workflows/lint.yml index 46e5e7eb..ef563fbd 100644 --- a/.github/workflows/ci-test.yml +++ b/.github/workflows/lint.yml @@ -13,31 +13,13 @@ # See the License for the specific language governing permissions and # limitations under the License. -name: CI Test +name: Lint on: push: - paths-ignore: - - 'ceremony/**' pull_request: - paths-ignore: - - 'ceremony/**' jobs: - golangci: - name: lint - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - - name: golangci-lint - uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 - with: - version: v1.59 - yamllint: runs-on: ubuntu-latest steps: @@ -65,40 +47,6 @@ jobs: with: actionlint_flags: -color -shellcheck= - test: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - - name: install deps - run: | - sudo apt-get install libpcsclite-dev - - name: Test - run: go test -tags=pivkey -v ./... - - name: Ensure no files were modified as a result of the build - run: git update-index --refresh && git diff-index --quiet HEAD -- || git diff --exit-code - - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - - name: install deps - run: | - sudo apt-get install libpcsclite-dev - - name: build verification - run: go build -o verify ./cmd/verify/ - - name: build TUF script - run: go build -o tuf -tags=pivkey ./cmd/tuf - - name: build test script - run: go build -o keygen -tags=pivkey ./tests/keygen - shellcheck: name: Shellcheck runs-on: ubuntu-latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index 834d1b17..00000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,86 +0,0 @@ -# -# Copyright 2023 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: cut-release - -on: - push: - tags: - - "v*" - -# Note: read permissions are set globally. -jobs: - release: - runs-on: ubuntu-latest - permissions: - actions: read # To read the workflow path. - id-token: write # To sign the provenance. - contents: write # To add assets to a release. - outputs: - hashes: ${{ steps.hash.outputs.hashes }} - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - - - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - - uses: anchore/sbom-action/download-syft@ab9d16d4b419c9d1a02df5213fa0ebe965ca5a57 # v0.17.1 - - uses: imjasonh/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7 - - - name: Set LDFLAGS - id: ldflags - run: | - source ./release/ldflags.sh - goflags=$(ldflags) - echo "GO_FLAGS="${goflags}"" >> "$GITHUB_ENV" - - - name: Run GoReleaser - id: run-goreleaser - uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 - with: - version: latest - args: release --clean - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - LDFLAGS: ${{ env.GO_FLAGS }} - - - name: Generate subject - id: hash - env: - ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" - run: | - set -euo pipefail - checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') - echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT" - - - name: Set tag output - id: tag - run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT" - - provenance: - needs: [release] - permissions: - actions: read # To read the workflow path. - id-token: write # To sign the provenance. - contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 - with: - base64-subjects: "${{ needs.release.outputs.hashes }}" - upload-assets: true # upload to a new release - upload-tag-name: "${{ needs.release.outputs.tag_name }}" # Upload to tag rather than generate a new release - draft-release: true diff --git a/.github/workflows/reuseable-snapshot-timestamp.yml b/.github/workflows/reuseable-snapshot-timestamp.yml deleted file mode 100644 index c0a9f1e3..00000000 --- a/.github/workflows/reuseable-snapshot-timestamp.yml +++ /dev/null @@ -1,234 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Snapshot and Timestamp Template - -# Reusable workflow that runs snapshot and timestamp on directories. -# TODO(asraa): Create user workflows for repository-beta/, and ceremony/ flows. -on: - workflow_call: - secrets: - token: - description: > - Optional token. - This argument is passed, unchanged, to the job that creates the pull request. - required: false - inputs: - snapshot_key: - description: 'Sets the snapshotting key reference' - required: false - type: string - timestamp_key: - description: 'Sets the timestamping key reference' - required: true - type: string - branch: - description: 'The branch where the staged repository is, e.g. ceremony/2022-10-18' - required: true - type: string - repo: - description: 'Sets the repository to perform the operation on: expects relative path to GitHub repository, for example: repository' - required: false - default: repository - type: string - provider: - description: 'Sets the workflow identity provider' - required: true - type: string - service_account: - description: 'Sets the GitHub service account authorized for keys' - required: true - type: string - snapshot_timestamp: - description: 'Enables snapshot/timestamp step. During ceremonies, you may flip this to false to allow for just a publish step.' - required: false - default: true - type: boolean - disable_snapshot: - description: 'Disables snapshot and only generates timestamp.' - required: false - default: false - type: boolean - publish: - description: 'Enables publishing step. During ceremonies, you may flip this to false to allow for reviewing changes before publishing.' - required: false - default: true - type: boolean - -jobs: - snapshot_and_timestamp: - runs-on: ubuntu-latest - permissions: - id-token: 'write' - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - ref: ${{ inputs.branch }} - - name: setup - run: | - echo "GITHUB_USER=${{ github.actor }}" >> $GITHUB_ENV - echo "REPO=$(pwd)/${{ inputs.repo }}" >> $GITHUB_ENV - echo "SNAPSHOT_KEY=${{ inputs.snapshot_key }}" >> $GITHUB_ENV - echo "TIMESTAMP_KEY=${{ inputs.timestamp_key }}" >> $GITHUB_ENV - echo "BRANCH=${{ inputs.branch }}" >> $GITHUB_ENV - # Note: we set LOCAL=1 because we manually push the changes in the next job. - echo "LOCAL=1" >> $GITHUB_ENV - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - # Setup OIDC->SA auth - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 - id: auth - with: - token_format: 'access_token' - workload_identity_provider: ${{ inputs.provider }} - service_account: ${{ inputs.service_account }} - create_credentials_file: true - - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - # Note: This needs to be parameterized if the KMS keys are in a different project - project_id: sigstore-root-signing - - name: Login - run: | - gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" - gcloud auth list - - # Build binary - - name: build - run: | - sudo apt-get install libpcsclite-dev - go build -o tuf -tags=pivkey ./cmd/tuf/ - - - name: setup timestamping - if: ${{ inputs.disable_snapshot }} - run: | - echo "DISABLE_SNAPSHOT=1" >> $GITHUB_ENV - - # Snapshot and timestamp - - name: snapshot and timestamp - if: ${{ inputs.snapshot_timestamp }} - run: | - ./scripts/step-3.sh - - # Publish - - name: publish - if: ${{ inputs.publish }} - run: | - ./scripts/step-4.sh - - - name: get patch - run: | - # Setting git config is only needed to create the patch to download in the next step. - git config user.name "GitHub Actions Bot" - git config user.email "<>" - # Commit and create patch - git add . - git commit -m "snapshot and timestamp" - git format-patch HEAD^ -o snapshot-timestamp - - - name: Upload snapshot and timestamp - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 - with: - name: snapshot-timestamp - path: snapshot-timestamp - retention-days: 5 - - if-failed: - runs-on: ubuntu-latest - needs: [snapshot_and_timestamp] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.snapshot_and_timestamp.result == 'failure' - steps: - - name: Open issue or add comment on failure - uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main - with: - comment_for_each_failure: true - - if-pass: - runs-on: ubuntu-latest - needs: [snapshot_and_timestamp] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.snapshot_and_timestamp.result == 'success' - steps: - - name: Close issue if one is open - uses: sigstore/sigstore-probers/.github/actions/close-workflow-issue@main - - push: - needs: snapshot_and_timestamp - runs-on: ubuntu-latest - permissions: - pull-requests: 'write' - contents: 'write' - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - ref: ${{ inputs.branch }} - - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: snapshot-timestamp - path: snapshot-timestamp - - run: | - git checkout -b update-snapshot-timestamp - git apply --verbose snapshot-timestamp/* - rm -r snapshot-timestamp - git add ${{ inputs.repo }} - git config --global user.email "noreply@github.com" - git config --global user.name "GitHub" - - # Open pull request changes - - name: create pull request for no snapshot - if: ${{ inputs.disable_snapshot }} - run: | - git commit -s -m "Update timestamp" - git push origin update-snapshot-timestamp - GH_TOKEN=${{ secrets.token || secrets.GITHUB_TOKEN }} gh pr create -B ${{ inputs.branch }} -H update-snapshot-timestamp -t "Update Timestamp" -b "Sign timestamp file" -r bobcallaway -r haydentherapper -r kommendorkapten - - - name: create pull request for timestamp/snapshot - if: ${{ !inputs.disable_snapshot }} - run: | - git commit -s -m "Update snapshot and timestamp" - git push origin update-snapshot-timestamp - GH_TOKEN=${{ secrets.token || secrets.GITHUB_TOKEN }} gh pr create -B ${{ inputs.branch }} -H update-snapshot-timestamp -t "Update Snapshot and Timestamp" -b "Sign snapshot and timestamp files" -r bobcallaway -r haydentherapper -r kommendorkapten - - if-push-failed: - runs-on: ubuntu-latest - needs: [push] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.push.result == 'failure' - steps: - - name: Open issue or add comment on failure - uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main - with: - comment_for_each_failure: true - - if-push-pass: - runs-on: ubuntu-latest - needs: [push] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.push.result == 'success' - steps: - - name: Close issue if one is open - uses: sigstore/sigstore-probers/.github/actions/close-workflow-issue@main diff --git a/.github/workflows/review-snapshot-timestamp.yml b/.github/workflows/review-snapshot-timestamp.yml deleted file mode 100644 index f5491882..00000000 --- a/.github/workflows/review-snapshot-timestamp.yml +++ /dev/null @@ -1,39 +0,0 @@ -# -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Review Snapshot and Timestamp - -permissions: read-all - -on: - # Enable cron for checking if a snapshot/timestamp PR needs review - # every 2 hours and attempts to merge. - schedule: - - cron: '30 */2 * * *' # every 2 hours - workflow_dispatch: - -jobs: - review: - runs-on: ubuntu-latest - permissions: - pull-requests: 'write' - contents: 'write' - env: - GITHUB_TOKEN: ${{ secrets.SIGSTORE_REVIEW_BOT_FINE_GRAINED_PAT }} - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - run: | - set -euo pipefail - ./.github/workflows/scripts/review-pull-request.sh diff --git a/.github/workflows/scripts/dpop-wrapper.sh b/.github/workflows/scripts/dpop-wrapper.sh deleted file mode 100755 index bbd18492..00000000 --- a/.github/workflows/scripts/dpop-wrapper.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/env bash -# -# Copyright 2023 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -euo pipefail - -# -# This is just a thin wrapper that takes on the input from a pull request -# and parses out the name of the delegation and the signature. -# It then calls the real script which will invoke the actual verification. -# -TITLE=$1 - -DELEGATION=$(echo "${TITLE}" | sed -E 's/(.+) for (.+)/\2/') -OUTPUT=$(mktemp) -./scripts/dpop-verify.sh "${DELEGATION}" 2>&1 | tee "${OUTPUT}" diff --git a/.github/workflows/scripts/e2e-utils.sh b/.github/workflows/scripts/e2e-utils.sh deleted file mode 100644 index 07ba66be..00000000 --- a/.github/workflows/scripts/e2e-utils.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/usr/bin/env bash -# -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Gets the name of the currently running workflow file. -# Note: this requires GITHUB_TOKEN to be set in the workflows. -this_file() { - gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3 -} - -# File is BODY in current directory. -create_issue_body() { - RUN_DATE=$(date --utc) - - # see https://docs.github.com/en/actions/learn-github-actions/environment-variables - # https://docs.github.com/en/actions/learn-github-actions/contexts. - cat <BODY -Repo: https://github.com/$GITHUB_REPOSITORY/tree/$GITHUB_REF_NAME -Run: https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID -Workflow file: https://github.com/$GITHUB_REPOSITORY/tree/main/.github/workflows/$THIS_FILE -Workflow runs: https://github.com/$GITHUB_REPOSITORY/actions/workflows/$THIS_FILE -Trigger: $GITHUB_EVENT_NAME -Branch: $GITHUB_REF_NAME -Date: $RUN_DATE -EOF -} \ No newline at end of file diff --git a/.github/workflows/scripts/review-pull-request.sh b/.github/workflows/scripts/review-pull-request.sh deleted file mode 100755 index 241e7845..00000000 --- a/.github/workflows/scripts/review-pull-request.sh +++ /dev/null @@ -1,70 +0,0 @@ -#!/usr/bin/env bash -# -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -o errexit -set -o nounset -set -o pipefail - -# Gets the open snapshot/timestamp update pull requests of the repository -timestamp_update() { - gh api -H "Accept: application/vnd.github.v3+json" "/repos/${GITHUB_REPOSITORY}/pulls?head=sigstore:update-snapshot-timestamp" | jq '.[0]' | jq 'select (.!=null)' -} - -UPDATE_PR=$(timestamp_update) -if [[ -n "${UPDATE_PR}" ]]; then - PULL_NUMBER=$(echo "${UPDATE_PR}" | jq -r '.number') - TITLE=$(echo "${UPDATE_PR}" | jq -r '.title') - echo "pull request found: " - echo "${PULL_NUMBER}" - echo "${TITLE}" - - # Approve PR - curl \ - -o review_output.json \ - -X POST \ - -H "Accept: application/vnd.github+json" \ - -H "Authorization: Bearer ${GITHUB_TOKEN}" \ - https://api.github.com/repos/"${GITHUB_REPOSITORY}"/pulls/"${PULL_NUMBER}"/reviews - - echo "review: " - cat review_output.json - - # TODO: Use gh pr review PR_NUMBER --approve - REVIEW_ID=$(jq -r '.id' review_output.json) - GH_TOKEN=$GITHUB_TOKEN gh api \ - --method POST \ - -H "Accept: application/vnd.github+json" \ - /repos/"${GITHUB_REPOSITORY}"/pulls/"${PULL_NUMBER}"/reviews/"${REVIEW_ID}"/events \ - -f event='APPROVE' - - # Get login for DCO - GH_TOKEN="${GITHUB_TOKEN}" gh api \ - -H "Accept: application/vnd.github+json" \ - /user > login.json - - LOGIN=$(jq -r '.login' login.json) - # Attempt to merge PR - GH_TOKEN="${GITHUB_TOKEN}" gh api \ - --method PUT \ - -H "Accept: application/vnd.github+json" \ - /repos/"${GITHUB_REPOSITORY}"/pulls/"${PULL_NUMBER}"/merge \ - -f commit_title="${TITLE} (#${PULL_NUMBER})" \ - -f commit_message="Signed-off-by: ${LOGIN} <${LOGIN}@users.noreply.github.com>" \ - -f merge_method='merge' - -else - echo "No open snapshot/timestamp pull request found" -fi diff --git a/.github/workflows/stable-snapshot-timestamp.yml b/.github/workflows/stable-snapshot-timestamp.yml deleted file mode 100644 index 4f765680..00000000 --- a/.github/workflows/stable-snapshot-timestamp.yml +++ /dev/null @@ -1,105 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Stable Snapshot and Timestamp - -permissions: read-all - -# Execute this as a weekly cron job and on changes to repository/ -# when new published metadata is submitted. -on: - # Enable cron for re-signing snapshot and timestamp every week - schedule: - - cron: '0 16 * * 2' # every Tuesday at 9am PST - # When a new root is staged - push: - branches: - - main - paths: - - 'repository/staged/root.json' - workflow_dispatch: - inputs: - dry_run: - type: boolean - default: false - description: Does not trigger job, but checks on whether the job should run. - force_snapshot: - description: 'Whether to force a snapshot. Useful if workflow is within 5 days of a ceremony' - required: false - default: false - type: boolean - -jobs: - check: - # This job checks whether snapshot/timestamp should run. - runs-on: ubuntu-latest - outputs: - block_snapshot: ${{ steps.check.outputs.block_snapshot }} - env: - FORCE_SNAPSHOT: ${{ inputs.force_snapshot }} - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - name: Determine whether to run a snapshot/timestamp - id: check - shell: bash - run: | - set -euo pipefail - - BRANCHES=$(git for-each-ref --format='%(refname:short)' | grep origin/ceremony/) - echo "${BRANCHES}" - # Check whether a ceremony was initiated within a week of the current date. - echo "block_snapshot=false" >> "${GITHUB_OUTPUT}" - - # If we force a snapshot, exit early. - if [[ "${FORCE_SNAPSHOT}" ]]; then - exit - fi - - ceremonyRegex="origin/ceremony/[0-9]{4}-[0-9]{2}-[0-9]{2}$" - for branch in ${BRANCHES} - do - if [[ "$branch" =~ ${ceremonyRegex} ]]; then - echo "found ceremony branch $branch" - branch_date=$(echo "${branch}" | cut -d '/' -f3) - days_diff=$(( ($(date -d "00:00" +%s) - $(date -d "${branch_date}" +%s)) / (24*3600) )) - if [[ "$days_diff" -lt 2 ]]; then - # Detected ceremony within 2 days of current date - echo "detected ceremony branch $branch within 2 days, stopping automated cron" - echo "block_snapshot=true" >> "${GITHUB_OUTPUT}" - fi - fi - done - - run_snapshot_timestamp_publish: - needs: check - if: (github.event_name == 'schedule' && github.repository == 'sigstore/root-signing' && needs.check.outputs.block_snapshot == 'false') || (github.event_name != 'schedule' && inputs.dry_run == false) # Don't run workflow in forks on cron - permissions: - id-token: 'write' - issues: 'write' - pull-requests: 'write' - contents: 'write' - actions: 'read' - uses: sigstore/root-signing/.github/workflows/reuseable-snapshot-timestamp.yml@main - with: - snapshot_key: 'gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/snapshot' - timestamp_key: 'gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp' - repo: 'repository/' - branch: main - provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' - service_account: 'github-actions@sigstore-root-signing.iam.gserviceaccount.com' - secrets: - token: ${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }} diff --git a/.github/workflows/stable-timestamp.yml b/.github/workflows/stable-timestamp.yml deleted file mode 100644 index fd5f643c..00000000 --- a/.github/workflows/stable-timestamp.yml +++ /dev/null @@ -1,99 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Stable Timestamp - -permissions: read-all - -# Execute this as a once a week cron job (in addition to stable-snapshot-timestamp) -on: - # Enable cron for re-signing timestamp every week. Timestamp is also - # regenerated in stable-snapshot-timestamp.yml - schedule: - - cron: '0 16 * * 5' # every Friday at 9am PST - workflow_dispatch: - inputs: - dry_run: - type: boolean - default: false - description: Does not trigger job, but checks on whether the job should run. - force_timestamp: - description: 'Whether to force a timestamp. Useful if workflow is within 5 days of a ceremony' - required: false - default: false - type: boolean - -jobs: - check: - # This job checks whether timestamp should run. - runs-on: ubuntu-latest - outputs: - block_timestamp: ${{ steps.check.outputs.block_timestamp }} - env: - FORCE_TIMESTAMP: ${{ inputs.force_timestamp }} - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - name: Determine whether to create a timestamp - id: check - shell: bash - run: | - set -euo pipefail - - BRANCHES=$(git for-each-ref --format='%(refname:short)' | grep origin/ceremony/) - echo "${BRANCHES}" - # Check whether a ceremony was initiated within a week of the current date. - echo "block_timestamp=false" >> "${GITHUB_OUTPUT}" - - # If we force a timestamp, exit early. - if [[ "${FORCE_TIMESTAMP}" ]]; then - exit - fi - - ceremonyRegex="origin/ceremony/[0-9]{4}-[0-9]{2}-[0-9]{2}$" - for branch in ${BRANCHES} - do - if [[ "$branch" =~ ${ceremonyRegex} ]]; then - echo "found ceremony branch $branch" - branch_date=$(echo "${branch}" | cut -d '/' -f3) - days_diff=$(( ($(date -d "00:00" +%s) - $(date -d "${branch_date}" +%s)) / (24*3600) )) - if [[ "$days_diff" -lt 2 ]]; then - # Detected ceremony within 2 days of current date - echo "detected ceremony branch $branch within 2 days, stopping automated cron" - echo "block_timestamp=true" >> "${GITHUB_OUTPUT}" - fi - fi - done - - run_timestamp_publish: - needs: check - if: (github.event_name == 'schedule' && github.repository == 'sigstore/root-signing' && needs.check.outputs.block_timestamp == 'false') || (github.event_name != 'schedule' && inputs.dry_run == false) # Don't run workflow in forks on cron - permissions: - id-token: 'write' - issues: 'write' - pull-requests: 'write' - contents: 'write' - actions: 'read' - uses: sigstore/root-signing/.github/workflows/reuseable-snapshot-timestamp.yml@main - with: - timestamp_key: 'gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp' - repo: 'repository/' - branch: main - provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' - service_account: 'github-actions@sigstore-root-signing.iam.gserviceaccount.com' - disable_snapshot: true - secrets: - token: ${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }} diff --git a/.github/workflows/staging-snapshot-timestamp.yml b/.github/workflows/staging-snapshot-timestamp.yml deleted file mode 100644 index 55509c54..00000000 --- a/.github/workflows/staging-snapshot-timestamp.yml +++ /dev/null @@ -1,44 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Staging Snapshot and Timestamp - -permissions: read-all - -on: - workflow_dispatch: - inputs: - branch: - description: 'The branch where the staged repository is, e.g. ceremony/2022-10-18' - required: true - type: string - -jobs: - run_snapshot_timestamp_publish: - permissions: - id-token: 'write' - issues: 'write' - pull-requests: 'write' - contents: 'write' - actions: 'read' - uses: sigstore/root-signing/.github/workflows/reuseable-snapshot-timestamp.yml@main - with: - snapshot_key: 'gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/snapshot' - timestamp_key: 'gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp' - branch: ${{ inputs.branch }} - provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' - service_account: 'github-actions@sigstore-root-signing.iam.gserviceaccount.com' - secrets: - token: ${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }} diff --git a/.github/workflows/sync-ceremony-to-main.yml b/.github/workflows/sync-ceremony-to-main.yml deleted file mode 100644 index b239d860..00000000 --- a/.github/workflows/sync-ceremony-to-main.yml +++ /dev/null @@ -1,74 +0,0 @@ -# -# Copyright 2023 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This workflow is triggered when a ceremony branch is completed, -# creating a PR that merges the completed ceremony branch to main - -name: Sync Published Ceremony Branch to Main and Preprod - -# Declare default permissions as none. -permissions: {} - -on: - workflow_dispatch: - inputs: - branch: - description: 'The branch to sync to main, generally ceremony/YYYY-MM-DD' - required: true - type: string - push: - # When any published repository metadata is changed on a ceremony/** - # branch. - branches: - - ceremony/** - paths: - - 'repository/repository/**' - -jobs: - push: - if: (github.event_name == 'schedule' && github.repository == 'sigstore/root-signing') || (github.event_name != 'schedule') # Don't run workflow in forks on cron - permissions: - pull-requests: 'write' - contents: 'write' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - ref: ${{ github.event.repository.default_branch }} - - - name: create pull request - uses: repo-sync/pull-request@7e79a9f5dc3ad0ce53138f01df2fad14a04831c5 # v2.12.1 - with: - github_token: ${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }} - # Use the input branch on workflow_dispatch, or the triggering branch on push to a ceremony/** branch. - source_branch: ${{ inputs.branch || github.ref_name }} - destination_branch: ${{ github.event.repository.default_branch }} - pr_title: "Merge ceremony branch ${{ inputs.branch || github.ref_name }} into ${{ github.event.repository.default_branch }}" - pr_body: "Merge ceremony branch to main" - pr_reviewer: bobcallaway,haydentherapper,joshuagl,kommendorkapten - - if-failed: - runs-on: ubuntu-latest - needs: [push] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.sync.result == 'failure' - steps: - - name: Open issue or add comment on failure - uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main - with: - comment_for_each_failure: true diff --git a/.github/workflows/sync-main-to-preprod-and-prod.yml b/.github/workflows/sync-main-to-preprod-and-prod.yml deleted file mode 100644 index 5b4c680c..00000000 --- a/.github/workflows/sync-main-to-preprod-and-prod.yml +++ /dev/null @@ -1,144 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This sync will execute when any combination of the following files, -# and no other files, are changed on the main branch: -# - timestamp.json -# - snapshot.json -# - [0-9]+.snapshot.json -# Under this condition, all files from the repository/repository directory -# on the main branch will sync to both preprod and prod. - -name: Sync Repository Main Branch with both GCS Preprod and Prod Buckets - -on: - push: - branches: - - main - paths: - # When timestamp or snapshot files are changed. - # Note: the sync job below uses a diff to ensure ONLY these files are changed - # prior to syncing. - - 'repository/repository/timestamp.json' - - 'repository/repository/snapshot.json' - - 'repository/repository/[0-9]+.snapshot.json' - workflow_dispatch: - -jobs: - sync: - runs-on: ubuntu-latest - permissions: - id-token: 'write' - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - # Setup OIDC->SA auth - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 - id: auth - with: - token_format: 'access_token' - workload_identity_provider: 'projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' - service_account: 'tuf-gha@project-rekor.iam.gserviceaccount.com' - create_credentials_file: true - - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - project_id: project-rekor - - name: Login - run: | - gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" - gcloud auth list - - name: check-updated-files - id: check-updated-files - run: | - # Checks whether a filename matches timestamp.json, snapshot.json, or [0-9]+.snapshot.json. If not, - # this workflow will exit as we only want to run it when ONLY these files are changed. - # TODO it may be good to check whether the [0-9]+.snapshot.json is the next one chronologically - check_filename() { - if [[ $1 != "timestamp.json" && $1 != "snapshot.json" && !($1 =~ ^[0-9]+\.snapshot.json$) ]]; then - echo "Sync main to preprod and prod workflow: Files other than timestamp and snapshot were updated in main branch, including file: $1. Not syncing, exiting." - echo "abort=true" >> $GITHUB_OUTPUT - fi; - } - # Diff main and prod to determine whether ONLY the timestamp and snapshot files have changed in main. - # If other files have also changed, exit - in this case, the sync should be to preprod only. - # NOTE other non-timestamp/snapshot changes should only occur during a ceremony, and - # will go through the sync-ceremony-* flow that hits main and preprod. This means there should never - # be changed files in prod that have not also hit the main branch. - # NOTE We deliberately diff only with prod to avoid a scenario in which the ceremony branch's sync to - # main and preprod kicks off this workflow, in which case the lack of diff between main and preprod - # could trigger this workflow to auto sync to prod. - # - # TODO this does not check whether the updates are in main or in prod, only that files differ. We could - # make this more exact later to check that the updates are in main (anything else is unexpected). - diff -qr repository/repository sigstore-tuf-root | grep -Po '([0-9\.]*\w+[\.\w+]*(?= differ))|((Only in \w+\: )\K(.*))' | while read l; do check_filename $l; done - - name: sync - id: sync - if: ${{ steps.check-updated-files.outputs.abort != 'true' }} - run: | - check_expiration() { - expiry=$(jq -r '.signed.expires' $1) - expires=$(date -d $expiry +%s) - current=$(date +%s) - if (( expires < current )); then - echo "Detected expired metadata file $1 at $expiry!" - exit 1 - fi; - } - - # Download bucket metadata - gcloud --quiet storage cp -r gs://sigstore-tuf-root/ . - - # Upload all but TUF timestamp. Once timestamp is uploaded, all other files must have been uploaded. - for f in $(ls repository/repository/ -I *timestamp.json) - do - # Check for expiration if this is a non-versioned metadata file. - # Versioned metadata like 1.root.json may be expired. - # TODO(asraa): When consistent snapshots are enabled, this logic must be changed so that - # only old versioned metadata can be expired. - if [[ $f == [^0-9]*.json ]]; then - check_expiration repository/repository/$f - fi; - - gcloud --quiet storage cp --cache-control=no-store -r repository/repository/$f gs://sigstore-preprod-tuf-root/ - gcloud --quiet storage cp --cache-control=no-store -r repository/repository/$f gs://sigstore-tuf-root/ - done - - # Upload timestamp after checking latest timestamp expiration - check_expiration repository/repository/timestamp.json - gcloud --quiet storage cp --cache-control=no-store -r repository/repository/*timestamp.json gs://sigstore-preprod-tuf-root/ - gcloud --quiet storage cp --cache-control=no-store -r repository/repository/*timestamp.json gs://sigstore-tuf-root/ - - # NOTE as this workflow runs only when timestamp or snapshot files are added or updated, there should not - # be a scenario where files that are removed from main must be synced to (removed from) preprod/prod. - gcloud compute url-maps invalidate-cdn-cache tuf-preprod-repo-cdn-lb --path "/*" --async - gcloud compute url-maps invalidate-cdn-cache tuf-repo-cdn-lb --path "/*" --async - - if-failed: - runs-on: ubuntu-latest - needs: [sync] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.sync.result == 'failure' - steps: - - name: Open issue or add comment on failure - uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main - with: - comment_for_each_failure: true diff --git a/.github/workflows/sync-main-to-preprod.yml b/.github/workflows/sync-main-to-preprod.yml deleted file mode 100644 index 4c3be18e..00000000 --- a/.github/workflows/sync-main-to-preprod.yml +++ /dev/null @@ -1,109 +0,0 @@ -# -# Copyright 2024 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This workflow is triggered a root signing completes and is merged -# into main, syncing the repository to the GCS preprod bucket - -name: Sync Published Root Signing to Preprod - -# Declare default permissions as none. -permissions: {} - -on: - workflow_dispatch: - push: - # When a root signing ceremony completes - branches: - - main - paths: - - 'repository/repository/root.json' - -jobs: - sync: - permissions: - id-token: 'write' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - # Setup OIDC->SA auth - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 - id: auth - with: - token_format: 'access_token' - workload_identity_provider: 'projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' - service_account: 'tuf-gha@project-rekor.iam.gserviceaccount.com' - create_credentials_file: true - - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - project_id: project-rekor - - name: Login - run: | - gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" - gcloud auth list - # sync - - name: sync - run: | - check_expiration() { - expiry=$(jq -r '.signed.expires' $1) - expires=$(date -d $expiry +%s) - current=$(date +%s) - if (( expires < current )); then - echo "Detected expired metadata file $1 at $expiry!" - exit 1 - fi; - } - # Upload all but TUF timestamp. Once timestamp is uploaded, all other files must have been uploaded. - for f in $(ls repository/repository/ -I *timestamp.json) - do - # Check for expiration if this is a non-versioned metadata file. - # Versioned metadata like 1.root.json may be expired. - # TODO(asraa): When consistent snapshots are enabled, this logic must be changed so that - # only old versioned metadata can be expired. - if [[ $f == [^0-9]*.json ]]; then - check_expiration repository/repository/$f - fi; - gcloud --quiet storage cp --cache-control=no-store -r repository/repository/$f gs://sigstore-preprod-tuf-root/ - done - # Upload timestamp after checking latest timestamp expiration - check_expiration repository/repository/timestamp.json - gcloud --quiet storage cp --cache-control=no-store -r repository/repository/*timestamp.json gs://sigstore-preprod-tuf-root/ - # delete any files present in sigstore-preprod-tuf-root not in repository/repository - gcloud --quiet storage cp -r gs://sigstore-preprod-tuf-root/ . - diff -qr repository/repository sigstore-preprod-tuf-root | while read l; do - if [[ $l =~ "Only in sigstore-preprod-tuf-root" ]]; then - path=$(python3 -c "import re; s='$l'; pattern=r'^Only in sigstore-preprod-tuf-root(\/?)(.*): (.*)$'; match=re.search(pattern, s); print('/'.join([match.group(2), match.group(3)]).lstrip('/'))") - gcloud --quiet storage rm gs://sigstore-preprod-tuf-root/$path - fi; - done - gcloud compute url-maps invalidate-cdn-cache tuf-preprod-repo-cdn-lb --path "/*" --async - - if-failed: - runs-on: ubuntu-latest - needs: [sync] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.sync.result == 'failure' - steps: - - name: Open issue or add comment on failure - uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main - with: - comment_for_each_failure: true diff --git a/.github/workflows/sync-preprod-to-prod.yml b/.github/workflows/sync-preprod-to-prod.yml deleted file mode 100644 index 5cfe94a0..00000000 --- a/.github/workflows/sync-preprod-to-prod.yml +++ /dev/null @@ -1,79 +0,0 @@ -# -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Sync Preprod Repository with GCS Prod Bucket - -on: - workflow_dispatch: - -jobs: - sync: - if: (github.event_name == 'schedule' && github.repository == 'sigstore/root-signing') || (github.event_name != 'schedule') # Don't run workflow in forks on cron - runs-on: ubuntu-latest - permissions: - id-token: 'write' - steps: - # Setup OIDC->SA auth - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 - id: auth - with: - token_format: 'access_token' - workload_identity_provider: 'projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' - service_account: 'tuf-gha@project-rekor.iam.gserviceaccount.com' - create_credentials_file: true - - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - project_id: project-rekor - - name: login - run: | - gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" - gcloud auth list - - - name: sync - run: | - # download preprod bucket and copy over to production bucket - gcloud --quiet storage cp -r gs://sigstore-preprod-tuf-root/ . - - # upload all but TUF timestamp. Once timestamp is uploaded, all other files must have been uploaded. - for f in $(ls sigstore-preprod-tuf-root/ -I *timestamp.json) - do - gcloud --quiet storage cp --cache-control=no-store -r sigstore-preprod-tuf-root/$f gs://sigstore-tuf-root/ - done - # upload timestamp - gcloud --quiet storage cp --cache-control=no-store -r sigstore-preprod-tuf-root/*timestamp.json gs://sigstore-tuf-root/ - - # delete any files present in sigstore-tuf-root not in sigstore-preprod-tuf-root - gcloud --quiet storage cp -r gs://sigstore-tuf-root/ . - - diff -qr sigstore-preprod-tuf-root sigstore-tuf-root | while read l; do - if [[ $l =~ "Only in sigstore-tuf-root" ]]; then - path=$(python3 -c "import re; s='$l'; pattern=r'^Only in sigstore-tuf-root(\/?)(.*): (.*)$'; match=re.search(pattern, s); print('/'.join([match.group(2), match.group(3)]).lstrip('/'))") - gcloud --quiet storage rm gs://sigstore-tuf-root/$path - fi; - done - gcloud compute url-maps invalidate-cdn-cache tuf-repo-cdn-lb --path "/*" --async - - if-failed: - runs-on: ubuntu-latest - needs: [sync] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.sync.result == 'failure' - steps: - - name: Open issue or add comment on failure - uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main - with: - comment_for_each_failure: true diff --git a/.github/workflows/tuf_client_tests.yml b/.github/workflows/tuf_client_tests.yml deleted file mode 100644 index 88f1fc95..00000000 --- a/.github/workflows/tuf_client_tests.yml +++ /dev/null @@ -1,100 +0,0 @@ -# -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: TUF Client tests - -on: - workflow_dispatch: - push: - paths: - - 'repository/**' - pull_request: - -jobs: - client: - runs-on: ubuntu-latest - steps: - # Set up a repository server with python - - uses: actions/setup-python@v5 - with: - python-version: '3.x' - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 2 - - run: | - cd repository/repository/ - python -m http.server 8001 & - echo "REPO=http://localhost:8001" >> $GITHUB_ENV - # Test with go-tuf client - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - - run: | - go install github.com/theupdateframework/go-tuf/cmd/tuf-client@v0.7.0 - - run: | - # Only 5.root.json is compatible with new versions of go-tuf - if [ -f repository/repository/5.root.json ]; then - tuf-client init http://localhost:8001 repository/repository/5.root.json - tuf-client list http://localhost:8001 - fi - # Verify with a go-tuf client that can understand deprecated keys - go run ./tests/client-tests init http://localhost:8001 repository/repository/1.root.json - go run ./tests/client-tests list http://localhost:8001 - # Test with rust client - - name: Configure cargo cache - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 - with: - path: | - /tmp/tuftool-target - ~/.cargo/registry/index/ - ~/.cargo/registry/cache/ - ~/.cargo/git/db/ - key: ${{ runner.os }}-cargo-tuftool - - name: Install tuftool - run: | - # use the latest version - cargo install tuftool \ - --target-dir /tmp/tuftool-target - - run: | - tuftool download out \ - --root repository/repository/2.root.json \ - -t http://localhost:8001/targets \ - -m http://localhost:8001 - # Test with python-tuf ngclient - - run: | - python3 -m pip install securesystemslib[crypto,pynacl] "tuf>=4.0.0" - python3 tests/client-tests/python-tuf.py - - jsclient: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 - with: - node-version: 20 - - name: Install tufjs/cli - run: npm install -g @tufjs/cli - - run: | - cd repository/repository/ - python -m http.server 8001 & - - name: Download and verify root - run: | - tuf download \ - --metadata-base-url http://localhost:8001 \ - --root repository/repository/5.root.json \ - --target-name trusted_root.json diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml deleted file mode 100644 index e05144db..00000000 --- a/.github/workflows/validate.yml +++ /dev/null @@ -1,62 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: CI Validate - -on: - push: - paths: - - 'ceremony/**' - - 'repository/**' - pull_request: - -jobs: - validate: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 2 - - run: | - echo "REPO=$(pwd)/repository" >> $GITHUB_ENV - echo "CDN_REPO=https://tuf-repo-cdn.sigstore.dev" >> $GITHUB_ENV - echo "CDN_PREPROD_REPO=https://tuf-preprod-repo-cdn.sigstore.dev" >> $GITHUB_ENV - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - - name: install deps - run: | - sudo apt-get install libpcsclite-dev - curl -fsO https://developers.yubico.com/PIV/Introduction/piv-attestation-ca.pem - - name: build - run: go build -o verify ./cmd/verify/ - - name: build - run: go build -o tuf -tags=pivkey ./cmd/tuf - - name: verify local published repository - run: ./verify repository --repository $REPO --root $(pwd)/ceremony/2021-06-18/repository/root.json - - name: verify CDN remote published repository - run: ./verify repository --repository $CDN_REPO --root $(pwd)/ceremony/2021-06-18/repository/root.json - - name: verify CDN preprod remote published repository - run: ./verify repository --repository $CDN_PREPROD_REPO --root $(pwd)/ceremony/2021-06-18/repository/root.json - - name: verify staged ceremony changes - run: | - set -euo pipefail - export CHANGED=$(git diff --name-only HEAD^ HEAD ceremony/20* | grep ".*staged.*" | head -1) - echo "$CHANGED" - if [ -n "$CHANGED" ]; then - export REPO=$(echo "$CHANGED" | cut -d/ -f 1-2) - ./verify repository --repository "$REPO" --staged true - fi From 89cbea95867884a5a0b4d91036de8c4c71327756 Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Mon, 26 Aug 2024 09:16:33 +0200 Subject: [PATCH 05/12] 'registry.npmjs.org' role/delegation change Signed-off-by: Fredrik Skogman --- metadata/targets.json | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/metadata/targets.json b/metadata/targets.json index 009c8184..2f90ca80 100755 --- a/metadata/targets.json +++ b/metadata/targets.json @@ -25,23 +25,19 @@ "_type": "targets", "delegations": { "keys": { - "fa6bb9bb553e568b85a0dc66bd36eeccb1625304ff30428bca79abedaef1632a": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], + "5e3a4021b11a425fd0a444f1670457ce5b15bbe036144f2417426f7f4b9721da": { "keytype": "ecdsa", "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoLrh0jmOfHWLwsyo/4oGbldF91WV\nfXvxVlDhW8fZwP/3vTnliBkDp5sH8/Dpm1SBOHkqENVt1+4Un/sFtl2zAQ==\n-----END PUBLIC KEY-----\n" + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVfei1dXQRVeArCMcTDgxJtYg+Fs7\nV87DjhQbGlRJPyC7SW5TbNNkmvpmi4LeTv6moLVZ7T2nVqiRZbSkD+cf8w==\n-----END PUBLIC KEY-----\n" }, "scheme": "ecdsa-sha2-nistp256", - "x-tuf-on-ci-keyowner": "@-npm-signer" + "x-tuf-on-ci-online-uri": "azurekms://npm-tuf-delegate.vault.azure.net/keys/npm-tuf-delegate-2024-08/e2772c1d01ca400da571096889f1660e" } }, "roles": [ { "keyids": [ - "fa6bb9bb553e568b85a0dc66bd36eeccb1625304ff30428bca79abedaef1632a" + "5e3a4021b11a425fd0a444f1670457ce5b15bbe036144f2417426f7f4b9721da" ], "name": "registry.npmjs.org", "paths": [ @@ -52,7 +48,7 @@ } ] }, - "expires": "2034-08-19T07:59:33Z", + "expires": "2034-08-24T07:16:33Z", "spec_version": "1.0", "targets": { "artifact.pub": { From 7dc3f083dfcbd28ac94ff6f122995bd8d498c385 Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Mon, 26 Aug 2024 14:47:57 +0200 Subject: [PATCH 06/12] Signature over npm delegation. Signed-off-by: Fredrik Skogman --- metadata/registry.npmjs.org.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/metadata/registry.npmjs.org.json b/metadata/registry.npmjs.org.json index 81a1ac11..c9ce278c 100755 --- a/metadata/registry.npmjs.org.json +++ b/metadata/registry.npmjs.org.json @@ -3,6 +3,10 @@ { "keyid": "fa6bb9bb553e568b85a0dc66bd36eeccb1625304ff30428bca79abedaef1632a", "sig": "" + }, + { + "keyid": "5e3a4021b11a425fd0a444f1670457ce5b15bbe036144f2417426f7f4b9721da", + "sig": "3046022100a2137aaf3a0dbde3e858b5507cc60596379c859f37b4a4b60e7175497d862e9d022100b4feabf83b0b90973256f0c3dfab9d1ca8eedce2cf04a5f03cb06944604c8229" } ], "signed": { From c1d3ef3be3e97dec425c48c1d25218ecb0f9f1ad Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Mon, 26 Aug 2024 16:55:58 +0200 Subject: [PATCH 07/12] Remove empty signature from previous key id Signed-off-by: Fredrik Skogman --- metadata/registry.npmjs.org.json | 4 ---- 1 file changed, 4 deletions(-) diff --git a/metadata/registry.npmjs.org.json b/metadata/registry.npmjs.org.json index c9ce278c..3cbdcb3b 100755 --- a/metadata/registry.npmjs.org.json +++ b/metadata/registry.npmjs.org.json @@ -1,9 +1,5 @@ { "signatures": [ - { - "keyid": "fa6bb9bb553e568b85a0dc66bd36eeccb1625304ff30428bca79abedaef1632a", - "sig": "" - }, { "keyid": "5e3a4021b11a425fd0a444f1670457ce5b15bbe036144f2417426f7f4b9721da", "sig": "3046022100a2137aaf3a0dbde3e858b5507cc60596379c859f37b4a4b60e7175497d862e9d022100b4feabf83b0b90973256f0c3dfab9d1ca8eedce2cf04a5f03cb06944604c8229" From c9ec5785c6c375506f9f2b6b92292344e8d628e3 Mon Sep 17 00:00:00 2001 From: Joshua Lock Date: Tue, 27 Aug 2024 11:07:05 +0100 Subject: [PATCH 08/12] Signature from @joshuagl Signed-off-by: Joshua Lock --- metadata/root.json | 6 +++++- metadata/root_history/10.root.json | 6 +++++- metadata/targets.json | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/metadata/root.json b/metadata/root.json index eb04650b..13a7bd61 100755 --- a/metadata/root.json +++ b/metadata/root.json @@ -18,7 +18,11 @@ }, { "keyid": "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70", - "sig": "" + "sig": "3046022100c78513854cae9c32eaa6b88e18912f48006c2757a258f917312caba75948eb9e022100d9e1b4ce0adfe9fd2e2148d7fa27a2f40ba1122bd69da7612d8d1776b013c91d" + }, + { + "keyid": "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f", + "sig": "3045022056483a2d5d9ea9cec6e11eadfb33c484b614298faca15acf1c431b11ed7f734c022100d0c1d726af92a87e4e66459ca5adf38a05b44e1f94318423f954bae8bca5bb2e" } ], "signed": { diff --git a/metadata/root_history/10.root.json b/metadata/root_history/10.root.json index eb04650b..13a7bd61 100644 --- a/metadata/root_history/10.root.json +++ b/metadata/root_history/10.root.json @@ -18,7 +18,11 @@ }, { "keyid": "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70", - "sig": "" + "sig": "3046022100c78513854cae9c32eaa6b88e18912f48006c2757a258f917312caba75948eb9e022100d9e1b4ce0adfe9fd2e2148d7fa27a2f40ba1122bd69da7612d8d1776b013c91d" + }, + { + "keyid": "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f", + "sig": "3045022056483a2d5d9ea9cec6e11eadfb33c484b614298faca15acf1c431b11ed7f734c022100d0c1d726af92a87e4e66459ca5adf38a05b44e1f94318423f954bae8bca5bb2e" } ], "signed": { diff --git a/metadata/targets.json b/metadata/targets.json index 2f90ca80..b00f8f52 100755 --- a/metadata/targets.json +++ b/metadata/targets.json @@ -18,7 +18,7 @@ }, { "keyid": "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70", - "sig": "" + "sig": "304502203d51eac2b34f6f06178e86e484d192f7a40b53df47e2ba0540d2e5a397d1e92b0221009833e3bb41c3bd28bc1adc06a74e5e7c73a6c9d9a1648ab558cfbdd380a2c4e2" } ], "signed": { From 0eb144785fe0ae109873ebfb6156825a1f01e192 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Tue, 27 Aug 2024 07:15:52 -0400 Subject: [PATCH 09/12] Signature from @bobcallaway Signed-off-by: Bob Callaway --- metadata/root.json | 6 +++++- metadata/root_history/10.root.json | 6 +++++- metadata/targets.json | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/metadata/root.json b/metadata/root.json index 13a7bd61..12dd67c5 100755 --- a/metadata/root.json +++ b/metadata/root.json @@ -14,7 +14,7 @@ }, { "keyid": "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", - "sig": "" + "sig": "304502210082c58411d989eb9f861410857d42381590ec9424dbdaa51e78ed13515431904e0220118185da6a6c2947131c17797e2bb7620ce26e5f301d1ceac5f2a7e58f9dcf2e" }, { "keyid": "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70", @@ -23,6 +23,10 @@ { "keyid": "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f", "sig": "3045022056483a2d5d9ea9cec6e11eadfb33c484b614298faca15acf1c431b11ed7f734c022100d0c1d726af92a87e4e66459ca5adf38a05b44e1f94318423f954bae8bca5bb2e" + }, + { + "keyid": "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523", + "sig": "3046022100d004de88024c32dc5653a9f4843cfc5215427048ad9600d2cf9c969e6edff3d2022100d9ebb798f5fc66af10899dece014a8628ccf3c5402cd4a4270207472f8f6e712" } ], "signed": { diff --git a/metadata/root_history/10.root.json b/metadata/root_history/10.root.json index 13a7bd61..12dd67c5 100644 --- a/metadata/root_history/10.root.json +++ b/metadata/root_history/10.root.json @@ -14,7 +14,7 @@ }, { "keyid": "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", - "sig": "" + "sig": "304502210082c58411d989eb9f861410857d42381590ec9424dbdaa51e78ed13515431904e0220118185da6a6c2947131c17797e2bb7620ce26e5f301d1ceac5f2a7e58f9dcf2e" }, { "keyid": "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70", @@ -23,6 +23,10 @@ { "keyid": "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f", "sig": "3045022056483a2d5d9ea9cec6e11eadfb33c484b614298faca15acf1c431b11ed7f734c022100d0c1d726af92a87e4e66459ca5adf38a05b44e1f94318423f954bae8bca5bb2e" + }, + { + "keyid": "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523", + "sig": "3046022100d004de88024c32dc5653a9f4843cfc5215427048ad9600d2cf9c969e6edff3d2022100d9ebb798f5fc66af10899dece014a8628ccf3c5402cd4a4270207472f8f6e712" } ], "signed": { diff --git a/metadata/targets.json b/metadata/targets.json index b00f8f52..d0bfc150 100755 --- a/metadata/targets.json +++ b/metadata/targets.json @@ -14,7 +14,7 @@ }, { "keyid": "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", - "sig": "" + "sig": "3044022006b5eae637d0b66f4f72759f86e86840f6a9a580b3baf7303a046d8fac1c0872022053c1b8a6fbce7e37a7e46501019a160f4d833efb48e7ca5bd274df54b2bbce3f" }, { "keyid": "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70", From 7038bd286009aa0355a116b6e4f478dbfcfc93ee Mon Sep 17 00:00:00 2001 From: Dan Lorenc Date: Tue, 27 Aug 2024 09:12:42 -0400 Subject: [PATCH 10/12] Signature from @dlorenc Signed-off-by: Dan Lorenc --- metadata/root.json | 6 +++++- metadata/root_history/10.root.json | 6 +++++- metadata/targets.json | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/metadata/root.json b/metadata/root.json index 12dd67c5..d1183d20 100755 --- a/metadata/root.json +++ b/metadata/root.json @@ -2,7 +2,7 @@ "signatures": [ { "keyid": "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", - "sig": "" + "sig": "30460221008ab1f6f17d4f9e6d7dcf1c88912b6b53cc10388644ae1f09bc37a082cd06003e022100e145ef4c7b782d4e8107b53437e669d0476892ce999903ae33d14448366996e7" }, { "keyid": "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", @@ -27,6 +27,10 @@ { "keyid": "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523", "sig": "3046022100d004de88024c32dc5653a9f4843cfc5215427048ad9600d2cf9c969e6edff3d2022100d9ebb798f5fc66af10899dece014a8628ccf3c5402cd4a4270207472f8f6e712" + }, + { + "keyid": "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e", + "sig": "3046022100b7b09996c45ca2d4b05603e56baefa29718a0b71147cf8c6e66349baa61477df022100c4da80c717b4fa7bba0fd5c72da8a0499358b01358b2309f41d1456ea1e7e1d9" } ], "signed": { diff --git a/metadata/root_history/10.root.json b/metadata/root_history/10.root.json index 12dd67c5..d1183d20 100644 --- a/metadata/root_history/10.root.json +++ b/metadata/root_history/10.root.json @@ -2,7 +2,7 @@ "signatures": [ { "keyid": "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", - "sig": "" + "sig": "30460221008ab1f6f17d4f9e6d7dcf1c88912b6b53cc10388644ae1f09bc37a082cd06003e022100e145ef4c7b782d4e8107b53437e669d0476892ce999903ae33d14448366996e7" }, { "keyid": "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", @@ -27,6 +27,10 @@ { "keyid": "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523", "sig": "3046022100d004de88024c32dc5653a9f4843cfc5215427048ad9600d2cf9c969e6edff3d2022100d9ebb798f5fc66af10899dece014a8628ccf3c5402cd4a4270207472f8f6e712" + }, + { + "keyid": "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e", + "sig": "3046022100b7b09996c45ca2d4b05603e56baefa29718a0b71147cf8c6e66349baa61477df022100c4da80c717b4fa7bba0fd5c72da8a0499358b01358b2309f41d1456ea1e7e1d9" } ], "signed": { diff --git a/metadata/targets.json b/metadata/targets.json index d0bfc150..ffe9d2bc 100755 --- a/metadata/targets.json +++ b/metadata/targets.json @@ -2,7 +2,7 @@ "signatures": [ { "keyid": "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", - "sig": "" + "sig": "3045022100cffdd70aff94fab0127ac749c64449d5f644c7195971bfdca57879d5f645ab960220129ed6aeb07a57d9554af28941543bbb58f28c4c60d28a819f2294d290ff6cd9" }, { "keyid": "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", From 3c4f9c6e097f7d8120cae5f85cba9b6e7d9c1fd1 Mon Sep 17 00:00:00 2001 From: Marina Moore Date: Tue, 27 Aug 2024 11:06:47 -0400 Subject: [PATCH 11/12] Signature from @mnm678 Signed-off-by: Marina Moore --- metadata/root.json | 6 +++++- metadata/root_history/10.root.json | 6 +++++- metadata/targets.json | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/metadata/root.json b/metadata/root.json index d1183d20..8b2934e8 100755 --- a/metadata/root.json +++ b/metadata/root.json @@ -6,7 +6,7 @@ }, { "keyid": "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", - "sig": "" + "sig": "3045022100c768b2f86da99569019c160a081da54ae36c34c0a3120d3cb69b53b7d113758e02204f671518f617b20d46537fae6c3b63bae8913f4f1962156105cc4f019ac35c6a" }, { "keyid": "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", @@ -31,6 +31,10 @@ { "keyid": "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e", "sig": "3046022100b7b09996c45ca2d4b05603e56baefa29718a0b71147cf8c6e66349baa61477df022100c4da80c717b4fa7bba0fd5c72da8a0499358b01358b2309f41d1456ea1e7e1d9" + }, + { + "keyid": "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e", + "sig": "3046022100be9782c30744e411a82fa85b5138d601ce148bc19258aec64e7ec24478f38812022100caef63dcaf1a4b9a500d3bd0e3f164ec18f1b63d7a9460d9acab1066db0f016d" } ], "signed": { diff --git a/metadata/root_history/10.root.json b/metadata/root_history/10.root.json index d1183d20..8b2934e8 100644 --- a/metadata/root_history/10.root.json +++ b/metadata/root_history/10.root.json @@ -6,7 +6,7 @@ }, { "keyid": "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", - "sig": "" + "sig": "3045022100c768b2f86da99569019c160a081da54ae36c34c0a3120d3cb69b53b7d113758e02204f671518f617b20d46537fae6c3b63bae8913f4f1962156105cc4f019ac35c6a" }, { "keyid": "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", @@ -31,6 +31,10 @@ { "keyid": "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e", "sig": "3046022100b7b09996c45ca2d4b05603e56baefa29718a0b71147cf8c6e66349baa61477df022100c4da80c717b4fa7bba0fd5c72da8a0499358b01358b2309f41d1456ea1e7e1d9" + }, + { + "keyid": "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e", + "sig": "3046022100be9782c30744e411a82fa85b5138d601ce148bc19258aec64e7ec24478f38812022100caef63dcaf1a4b9a500d3bd0e3f164ec18f1b63d7a9460d9acab1066db0f016d" } ], "signed": { diff --git a/metadata/targets.json b/metadata/targets.json index ffe9d2bc..b092778f 100755 --- a/metadata/targets.json +++ b/metadata/targets.json @@ -6,7 +6,7 @@ }, { "keyid": "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", - "sig": "" + "sig": "30450220208c663d230a0ebb3a2b964020d019394112e216d4964c743ad2e61cebc43b52022100c2964f3fa7e77cd3abe13640d91b53d1a294470b65211a42f3f7764064c28ce4" }, { "keyid": "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", From 2fafe33bb7a56a496c5a510e0f8bf7d7841b0855 Mon Sep 17 00:00:00 2001 From: Santiago Torres-Arias Date: Wed, 28 Aug 2024 09:32:31 -0400 Subject: [PATCH 12/12] Signature from @santiagotorres Signed-off-by: Santiago Torres-Arias --- metadata/root.json | 6 +++++- metadata/root_history/10.root.json | 6 +++++- metadata/targets.json | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/metadata/root.json b/metadata/root.json index 8b2934e8..3f18ee74 100755 --- a/metadata/root.json +++ b/metadata/root.json @@ -10,7 +10,7 @@ }, { "keyid": "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", - "sig": "" + "sig": "3045022100b4434e6995d368d23e74759acd0cb9013c83a5d3511f0f997ec54c456ae4350a022015b0e265d182d2b61dc74e155d98b3c3fbe564ba05286aa14c8df02c9b756516" }, { "keyid": "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", @@ -35,6 +35,10 @@ { "keyid": "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e", "sig": "3046022100be9782c30744e411a82fa85b5138d601ce148bc19258aec64e7ec24478f38812022100caef63dcaf1a4b9a500d3bd0e3f164ec18f1b63d7a9460d9acab1066db0f016d" + }, + { + "keyid": "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849", + "sig": "30450220746ec3f8534ce55531d0d01ff64964ef440d1e7d2c4c142409b8e9769f1ada6f022100e3b929fcd93ea18feaa0825887a7210489879a66780c07a83f4bd46e2f09ab3b" } ], "signed": { diff --git a/metadata/root_history/10.root.json b/metadata/root_history/10.root.json index 8b2934e8..3f18ee74 100644 --- a/metadata/root_history/10.root.json +++ b/metadata/root_history/10.root.json @@ -10,7 +10,7 @@ }, { "keyid": "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", - "sig": "" + "sig": "3045022100b4434e6995d368d23e74759acd0cb9013c83a5d3511f0f997ec54c456ae4350a022015b0e265d182d2b61dc74e155d98b3c3fbe564ba05286aa14c8df02c9b756516" }, { "keyid": "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", @@ -35,6 +35,10 @@ { "keyid": "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e", "sig": "3046022100be9782c30744e411a82fa85b5138d601ce148bc19258aec64e7ec24478f38812022100caef63dcaf1a4b9a500d3bd0e3f164ec18f1b63d7a9460d9acab1066db0f016d" + }, + { + "keyid": "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849", + "sig": "30450220746ec3f8534ce55531d0d01ff64964ef440d1e7d2c4c142409b8e9769f1ada6f022100e3b929fcd93ea18feaa0825887a7210489879a66780c07a83f4bd46e2f09ab3b" } ], "signed": { diff --git a/metadata/targets.json b/metadata/targets.json index b092778f..e5993f84 100755 --- a/metadata/targets.json +++ b/metadata/targets.json @@ -10,7 +10,7 @@ }, { "keyid": "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", - "sig": "" + "sig": "304502210093afa3a6d28f67f6aace8c6c5258282ec0784ce82da93589e2870b522c1b685502205374c8871e12e07f856f83e780b626dd5a00a032285d4436f615cdb9d637c3c3" }, { "keyid": "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222",