Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sign-root-targets for mnm678 #685

Merged
merged 1 commit into from
Mar 1, 2023
Merged

sign-root-targets for mnm678 #685

merged 1 commit into from
Mar 1, 2023

Conversation

mnm678
Copy link
Contributor

@mnm678 mnm678 commented Feb 28, 2023

Summary

Release Note

Documentation

@mnm678
sign-root-targets for mnm678
ddab08a 
Signed-off-by: Marina Moore <mnm678@gmail.com>
asraa
asraa approved these changes Feb 28, 2023
View reviewed changes
Copy link
Contributor

@asraa asraa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

STAGED METADATA

Outputting metadata verification at /home/asraa/git/root-signing/repository...

Verifying targets.json...
Success! Signatures valid and threshold achieved
targets version 6, expires 2023/08/28

Verifying root.json...
Success! Signatures valid and threshold achieved
Success! Signatures valid and threshold achieved from the previous root
root version 6, expires 2023/08/28

LGTM! Just to ensure that the sig wasn't skipped and hidden behind the 3 merged sigs, I re-ran the staged verification deleting the other sigs and verified that there was a valid sig

@trishankatdatadog
Copy link
Contributor 

Outputting key verification and OpenSSL commands...

VERIFIED KEY WITH SERIAL NUMBER 13078778
TUF key ids:
	ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c

VERIFIED KEY WITH SERIAL NUMBER 14470876
TUF key ids:
	25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99

VERIFIED KEY WITH SERIAL NUMBER 15938765
TUF key ids:
	f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f

VERIFIED KEY WITH SERIAL NUMBER 15938791
TUF key ids:
	7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b

VERIFIED KEY WITH SERIAL NUMBER 18158855
TUF key ids:
	2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de

# To manually verify the chain for any key ID

	export SERIAL_NUMBER=${SERIAL_NUMBER}
	openssl verify -verbose -x509_strict -CAfile <(cat piv-attestation-ca.pem repository/keys/${SERIAL_NUMBER}/${SERIAL_NUMBER}_device_cert.pem) repository/keys/${SERIAL_NUMBER}/${SERIAL_NUMBER}_key_cert.pem

# Manually extract the public key for any key ID and match with published

	export SERIAL_NUMBER=${SERIAL_NUMBER}
	openssl x509 -in repository/keys/${SERIAL_NUMBER}/${SERIAL_NUMBER}_key_cert.pem -pubkey -noout
	cat repository/keys/${SERIAL_NUMBER}/${SERIAL_NUMBER}_pubkey.pem
+ '[' -f /Users/trishank.kuppusamy/GitHub.com/sigstore/root-signing/repository/staged/root.json ']'
+ ./verify repository --repository /Users/trishank.kuppusamy/GitHub.com/sigstore/root-signing/repository --staged
STAGED METADATA

Outputting metadata verification at /Users/trishank.kuppusamy/GitHub.com/sigstore/root-signing/repository...

Verifying root.json...
	Success! Signatures valid and threshold achieved
	Success! Signatures valid and threshold achieved from the previous root
	root version 6, expires 2023/08/28

Verifying targets.json...
	Success! Signatures valid and threshold achieved
	targets version 6, expires 2023/08/28
+ '[' -f /Users/trishank.kuppusamy/GitHub.com/sigstore/root-signing/repository/repository/1.root.json ']'
+ ./verify repository --repository /Users/trishank.kuppusamy/GitHub.com/sigstore/root-signing/repository --root /Users/trishank.kuppusamy/GitHub.com/sigstore/root-signing/repository/repository/1.root.json

VERIFYING TUF CLIENT UPDATE

Client successfully initialized, updating and downloading targets...
Client updated to...
	root.json version 5, expires 2023/04/18
	timestamp.json version 71, expires 2023/03/08
	snapshot.json version 71, expires 2023/03/15
	targets.json version 5, expires 2023/04/18

Retrieved target fulcio_v1.crt.pem...
-----BEGIN CERTIFICATE-----
MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMw
KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y
MTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3Jl
LmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7
XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxex
X69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92j
YzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRY
wB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQ
KsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCM
WP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9
TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ
-----END CERTIFICATE-----

Retrieved target rekor.pub...
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2G2Y+2tabdTV5BcGiBIx0a9fAFwr
kBbmLSGtks4L3qX6yYY0zufBnhC8Ur/iy55GhWP/9A/bY2LhC30M9+RYtw==
-----END PUBLIC KEY-----

Retrieved target artifact.pub...
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhyQCx0E9wQWSFI9ULGwy3BuRklnt
IqozONbbdbqz11hlRJy9c7SG+hdcFl9jE9uE/dwtuwU2MqU9T/cN0YkWww==
-----END PUBLIC KEY-----

Retrieved target ctfe.pub...
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbfwR+RJudXscgRBRpKX1XFDy3Pyu
dDxz/SfnRi1fT8ekpfBd2O1uoz7jr3Z8nKzxA69EUQ+eFCFI3zeubPWU7w==
-----END PUBLIC KEY-----

Retrieved target ctfe_2022.pub...
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiPSlFi0CmFTfEjCUqF9HuCEcYXNK
AaYalIJmBZ8yyezPjTqhxrKBpMnaocVtLJBI1eM3uXnQzQGAJdJ4gs9Fyw==
-----END PUBLIC KEY-----

Retrieved target fulcio.crt.pem...
-----BEGIN CERTIFICATE-----
MIIB+DCCAX6gAwIBAgITNVkDZoCiofPDsy7dfm6geLbuhzAKBggqhkjOPQQDAzAq
MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIx
MDMwNzAzMjAyOVoXDTMxMDIyMzAzMjAyOVowKjEVMBMGA1UEChMMc2lnc3RvcmUu
ZGV2MREwDwYDVQQDEwhzaWdzdG9yZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABLSy
A7Ii5k+pNO8ZEWY0ylemWDowOkNa3kL+GZE5Z5GWehL9/A9bRNA3RbrsZ5i0Jcas
taRL7Sp5fp/jD5dxqc/UdTVnlvS16an+2Yfswe/QuLolRUCrcOE2+2iA5+tzd6Nm
MGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE
FMjFHQBBmiQpMlEk6w2uSu1KBtPsMB8GA1UdIwQYMBaAFMjFHQBBmiQpMlEk6w2u
Su1KBtPsMAoGCCqGSM49BAMDA2gAMGUCMH8liWJfMui6vXXBhjDgY4MwslmN/TJx
Ve/83WrFomwmNf056y1X48F9c4m3a3ozXAIxAKjRay5/aj/jsKKGIkmQatjI8uup
Hr/+CxFvaJWmpYqNkLDGRU+9orzh5hI2RrcuaQ==
-----END CERTIFICATE-----

Retrieved target fulcio_intermediate_v1.crt.pem...
-----BEGIN CERTIFICATE-----
MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMw
KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y
MjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3Jl
LmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0C
AQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV7
7LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS
0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYB
BQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjp
KFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZI
zj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJR
nZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsP
mygUY7Ii2zbdCdliiow=
-----END CERTIFICATE-----

@kommendorkapten
Copy link
Member

Signing done with expected key 25a0...: https://github.com/sigstore/root-signing/blob/main/README.md?plain=1#L49

$ GITHUB_USER=kommendorkapten BRANCH=ceremony/2023-02-28 ./scripts/verify.sh 685
...
+ ./verify repository --repository /Users/kommendorkapten/git/root-signing/repository --staged
STAGED METADATA

Outputting metadata verification at /Users/kommendorkapten/git/root-signing/repository...

Verifying root.json...
	Success! Signatures valid and threshold achieved
	Success! Signatures valid and threshold achieved from the previous root
	root version 6, expires 2023/08/28

Verifying targets.json...
	Success! Signatures valid and threshold achieved
	targets version 6, expires 2023/08/28
...

Manually drop other signatures:

$ git diff --text repository/staged/root.json
diff --git a/repository/staged/root.json b/repository/staged/root.json
index 676edfa..9e76cc9 100644
--- a/repository/staged/root.json
+++ b/repository/staged/root.json
@@ -122,7 +122,7 @@
 	"signatures": [
 		{
 			"keyid": "ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c",
-			"sig": "3044022079941eab7035ffd603354ee9a072ad87ad24e084f2aa52a718f76b21545d90190220368a65bb4ac83a9938885f5bba6a0b9a25c9979c85d85840497a95e47466eafb"
+			"sig": ""
 		},
 		{
 			"keyid": "25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99",
@@ -134,11 +134,11 @@
 		},
 		{
 			"keyid": "7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b",
-			"sig": "304502205c7b76ad222ffe16fed152f5bbf1c18b3df4814bf93703fea4605ae335914953022100a9d187ee02a4babe12b1646b572171bac60b23b0846ff3f067ded075194b549c"
+			"sig": ""
 		},
 		{
 			"keyid": "2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de",
-			"sig": "30440220724e672fd7a2dbd338dfea683712a77bc1579ae5061dbc501d498ade02ea3aeb022012758bd3f1d4d245d92a692d26f743ad7a1f9af0982d1983a8619186c1fbcdd4"
+			"sig": ""
 		}
 	]
-}
\ No newline at end of file
+}
$ ./verify repository --repository $(pwd)/repository --staged
STAGED METADATA

Outputting metadata verification at /Users/kommendorkapten/git/root-signing/repository...

Verifying root.json...
	Contains 1/3 valid signatures from the current staged metadata
	Contains 1/3 valid signatures from the previous root
	root version 6, expires 2023/08/28

Verifying targets.json...
	Success! Signatures valid and threshold achieved
	targets version 6, expires 2023/08/28

@kommendorkapten kommendorkapten merged commit ac5242d into sigstore:ceremony/2023-02-28 Mar 1, 2023
kommendorkapten pushed a commit to kommendorkapten/root-signing that referenced this pull request Mar 1, 2023
@mnm678 @kommendorkapten
sign-root-targets for mnm678 (sigstore#685)
6987ee6 
Signed-off-by: Marina Moore <mnm678@gmail.com>
kommendorkapten pushed a commit to kommendorkapten/root-signing that referenced this pull request Mar 1, 2023
@mnm678 @kommendorkapten
sign-root-targets for mnm678 (sigstore#685)
fa6b3b4 
Signed-off-by: Marina Moore <mnm678@gmail.com>
kommendorkapten pushed a commit that referenced this pull request Mar 2, 2023
@mnm678 @kommendorkapten
sign-root-targets for mnm678 (#685)
26ac730 
Signed-off-by: Marina Moore <mnm678@gmail.com>
kommendorkapten added a commit that referenced this pull request Mar 2, 2023
@sigstore-bot @web-flow
@bobcallaway @joshuagl @dlorenc @SantiagoTorres @mnm678 @kommendorkapten
Merge ceremony branch ceremony/2023-02-28-rebased-2 into main (#697)
d358952 
* Add staged repository metadata (#673)

Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: GitHub <noreply@github.com>

* sign-root-targets for bobcallaway (#674)

Signed-off-by: Bob Callaway <bcallaway@google.com>

* sign-root-targets for joshuagl (#675)

Signed-off-by: Joshua Lock <jlock@vmware.com>

* sign-root-targets for dlorenc (#677)

Signed-off-by: Dan Lorenc <dlorenc@chainguard.dev>

* sign-root-targets for SantiagoTorres (#683)

Signed-off-by: Santiago Torres Arias <santiago@archlinux.org>

* sign-root-targets for mnm678 (#685)

Signed-off-by: Marina Moore <mnm678@gmail.com>

* Update Snapshot and Timestamp (#687)

Signed-off-by: sigstore-review-bot <sigstore-review-bot@users.noreply.github.com>

* publish for kommendorkapten (#688)

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* update snapshot and timestamp (#698)

Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: kommendorkapten <kommendorkapten@users.noreply.github.com>

* publish for kommendorkapten (#699)

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

---------

Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Bob Callaway <bcallaway@google.com>
Signed-off-by: Joshua Lock <jlock@vmware.com>
Signed-off-by: Dan Lorenc <dlorenc@chainguard.dev>
Signed-off-by: Santiago Torres Arias <santiago@archlinux.org>
Signed-off-by: Marina Moore <mnm678@gmail.com>
Signed-off-by: sigstore-review-bot <sigstore-review-bot@users.noreply.github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Co-authored-by: GitHub <noreply@github.com>
Co-authored-by: Bob Callaway <bobcallaway@users.noreply.github.com>
Co-authored-by: Joshua Lock <jlock@vmware.com>
Co-authored-by: dlorenc <lorenc.d@gmail.com>
Co-authored-by: Santiago Torres <santiago@archlinux.org>
Co-authored-by: Marina Moore <mnm678@users.noreply.github.com>
Co-authored-by: Fredrik Skogman <kommendorkapten@github.com>
Co-authored-by: kommendorkapten <kommendorkapten@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asraa asraa asraa approved these changes

@kommendorkapten kommendorkapten kommendorkapten approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mnm678 @trishankatdatadog @kommendorkapten @asraa