Closed jku closed 4 months ago
root-signing-staging enables secure delivery of the Sigstore staging trust root to Sigstore clients. The system regularly publishes TUF metadata (a bunch of json files) through GitHub Actions and pull requests. It is secured by the metadata being digitally signed with both hardware keys and an online key management system.
There is an example signing event with some comments (including a screenshot of the signing tool) in https://github.com/jku/tuf-demo/pull/93
root-signing-staging is operational with the following caveats:
At a high level root-signing staging should be familiar to those who know production root-signing: GitHub Actions handles online signing and GitHub pull requests are used to manage "signing events" (where signers collaborate to sign changes with their hardware keys using a local signing tool).
There are some major differences:
There are also some operational changes:
The "stack" consist of
signing-event
runs whenever a signing event PR branch changes. It adds comments in the PR and makes commits in the PR branchonline-sign
runs on merges to main and on schedule. It creates new versions of timestamp and snapshot metadata when needed, and commits them to mainpublish
is triggered by online-sign. It runs various tests on the repository and finally publishes it to GCScreate-signing-events
runs on schedule and creates PRs when metadata roles are about to expire and need to be resignedClosing this:
Please join us (Jussi, Fredrik) to discuss the new and shiny root-signing-staging and the plans for root-signing future on Wednesday Feb 21 5PM GMT. https://meet.google.com/ert-dihk-dmk
The purpose is to share what we've built and to get a few people to volunteer as root-signing-staging signers:
I'll add some intro links/material here before the event