You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As part of the tuf-on-ci migration we're removing the "authenticity verification scripts" that prove that a cryptographic key is on an actual Yubikey (instead of being a non-hw key or a non-yubikey hardware key).
The feature might still make sense (even if I'm not fully convinced we should only ever require Yubikeys) so let's evaluate options:
we could write new code like the "verify key" command in the legacy root-signing -- note that this had the flaw that it did not actually verify that the keys in metadata were authentic, user had to compare private keys manually for that
more useful would be some level of integration into signing event:
If we want to enforce Yubikeys, then a workflow in the signing event should fail if a "authenticity proof" is missing for a key
accepting an invitation to become a signer should somehow include the authenticity proof -- even if it's just a request to add a file into the PR manually
There are two levels of possible integration I see:
the authenticity proof could be included in metadata: support PIV attestation secure-systems-lab/securesystemslib#623 (comment) -- this way the repository could always verify the authenticity easily and we would not have to maintain extra files that will inevitably go stale. The signers would not have to do anything, new keys would just automatically include the proof
or we could dump the authenticity proofs elsewhere -- separate directory in git like they used to be, or even just as a comment in the signing event. This means we make the verification just part of "new signer" process documentation, not part of automated tooling
Note to future me, what we are looking to verify is this:
for each non-kms key in metadata, get keyholder to somehow submit ykman piv keys attest 9c - attestation. Then
verify that the key in the assertation ykman piv keys attest 9c - | openssl x509 -noout -text and the public key in metadata openssl ec -pubin -in $PUBKEY -noout -text are the same key (where $PUBKEY comes from metadata)
verify that the assertation cert is part of the GitHub cert chain
The lowest effort, minimal integration way to do this might be:
ask new signers to add the assertation in a signing event comment
setup new workflow that reacts to signing event commits and runs a check on any assertation certs it sees, adds a comment to say which tuf key it is for
As part of the tuf-on-ci migration we're removing the "authenticity verification scripts" that prove that a cryptographic key is on an actual Yubikey (instead of being a non-hw key or a non-yubikey hardware key).
The feature might still make sense (even if I'm not fully convinced we should only ever require Yubikeys) so let's evaluate options:
ykman piv keys attest 9c -
) to do parts of thisThe text was updated successfully, but these errors were encountered: