Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Draft v3 root changes #139

Closed
wants to merge 16 commits into from
Closed

[WIP] Draft v3 root changes #139

wants to merge 16 commits into from

Conversation

asraa
Copy link
Contributor

@asraa asraa commented Mar 8, 2022

Signed-off-by: Asra Ali asraa@google.com

Summary

Ticket Link

Fixes

Release Note

@asraa
draft v3 changes
b0eabe0 
Signed-off-by: Asra Ali <asraa@google.com>
@asraa
Copy link
Contributor Author

asraa commented Mar 8, 2022
edited
Loading

  • Reduce root/target expiration to 4 months rather than 6
  • Rotate out one key-holder TBD
  • Create a test setup with >1 YubiKey
  • Add custom metadata indicated usage/lifetime/version of the target metadata for the Rekor/Fulcio/CT key
  • Add a revocation delegation @haydentherapper
  • Enable consistent snapshots (Prerequisites for verification with old targets #80)
  • (Optional?): Start including the HSM certs into the root metadata
    Changes in snapshot/targets:
  • Snapshot expiration to 5 weeks so re-signing every 3
  • Timestamp expiration to 7 days so re-signing w/ automatic merge

@asraa
reduce root target expiration to 4
ec8afac 
Signed-off-by: Asra Ali <asraa@google.com>
@asraa
Copy link
Contributor Author

asraa commented Mar 9, 2022

Custom metadata added as:

"targets": {
      "artifact.pub": {
        "custom": {
          "sigstore": {
            "status": "Active",
            "usage": "Cosign"
          }
        },
        "hashes": {
          "sha256": "59ebf97a9850aecec4bc39c1f5c1dc46e6490a6b5fd2a6cacdcac0c3a6fc4cbf",
          "sha512": "308fd1d1d95d7f80aa33b837795251cc3e886792982275e062409e13e4e236ffc34d676682aa96fdc751414de99c864bf132dde71581fa651c6343905e3bf988"
        },
        "length": 177
      },
}

@asraa
add revocation delegation and change snapshot expirations
29e402c 
Signed-off-by: Asra Ali <asraa@google.com>
@asraa asraa mentioned this pull request Mar 10, 2022
Closed
@asraa asraa closed this Mar 10, 2022
@asraa asraa deleted the v3-changes branch March 10, 2022 13:18
@asraa asraa restored the v3-changes branch March 10, 2022 13:34
@asraa asraa reopened this Mar 10, 2022
@asraa
Merge remote-tracking branch 'upstream/main' into v3-changes
c91028a
@asraa
make root init fixes
0998250 
Signed-off-by: Asra Ali <asraa@google.com>
@asraa
missing revocation delegation sign
fe8e2de 
Signed-off-by: Asra Ali <asraa@google.com>
@asraa
update root version
fc2d455 
Signed-off-by: Asra Ali <asraa@google.com>
@asraa
move published repository data
c52c3b0 
Signed-off-by: Asra Ali <asraa@google.com>
@asraa
fix repository/ dir
ec15758 
Signed-off-by: Asra Ali <asraa@google.com>
@asraa
copy repository
2d430e5 
Signed-off-by: Asra Ali <asraa@google.com>
@asraa
ensure add key happens in a clean state
b525aa1 
Signed-off-by: Asra Ali <asraa@google.com>
@dlorenc
Copy link
Member

dlorenc commented Mar 22, 2022

What's left here? Need any help?

@asraa
Copy link
Contributor Author

asraa commented Mar 22, 2022

What's left here? Need any help?

Hey! So far key rotation worked and I got blocked on delegation "refreshing" theupdateframework/go-tuf#239

It could be a simple fix that I can work around in the wrapping TUF API code. I'll be able to try that today and do another dry run. Would love help for a very quick dry run later this week! @priyawadhwa since you likely have a key too.

@priyawadhwa
Copy link
Contributor

Yup, I definitely had one! Will try to find it 😅

@trishankatdatadog
Copy link
Contributor

Hey! So far key rotation worked and I got blocked on delegation "refreshing" theupdateframework/go-tuf#239

Let us know how you need help here. @ethan-lowman-dd

@asraa
fix delegation add
343265b 
Signed-off-by: Asra Ali <asraa@google.com>
@asraa
fix repository verify remote store to only contain committed meta
d5e9fb0 
Signed-off-by: Asra Ali <asraa@google.com>
@asraa
add verification output print staged versions and expiration
cc17fbf 
Signed-off-by: Asra Ali <asraa@google.com>
@asraa
fix targets expiration
ae8dfcb 
Signed-off-by: Asra Ali <asraa@google.com>
@asraa
add user prompts for key insertion
0575eb3 
Signed-off-by: Asra Ali <asraa@google.com>
asraa
asraa commented Apr 4, 2022
View reviewed changes
scripts/step-1.sh
# Add the key!
./tuf add-key -repository $REPO

# Ask user to remove key (and replace with SSH security key)
read -n1 -r -s -p "Remove your Yubikey, then press any key to continue..."
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@haydentherapper are you sure you didn't see this prompt?
https://github.com/asraa/test-sigstore-root/issues/80#issuecomment-1086201454

maybe it's possible tapping the yubikey had pressed a key? Maybe I'll make it an explicit type Y?

@asraa asraa closed this Jun 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@asraa @dlorenc @priyawadhwa @trishankatdatadog