Signing event: sign/targets-v7

sigstore-bot commented 3 months ago

Processing signing event sign/targets-v7, please wait.

sigstore-bot commented 3 months ago

Current signing event state

Event sign/targets-v7 (commit 6676f60)

:x: targets

Role targets is unsigned and not yet verified Still missing signatures from @jku, @mnm678, @kommendorkapten, @joshuagl Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7

jku commented 3 months ago

This is the automated signing event that was started because 2 weeks a go we set

expiry period 42 days
signing period 28 days

So things seem to be working ok.

Please don't sign yet: I'll make a change here tomorrow that bumps those periods so we don't need to do this every few weeks

sigstore-bot commented 3 months ago

Current signing event state

Event sign/targets-v7 (commit ee8c0fe)

:white_check_mark: targets

Role targets is verified and signed by 1/1 signers (@kommendorkapten). Still missing signatures from @joshuagl, @jku, @mnm678 Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7

Signing event is successful

Threshold of signatures has been reached: this signing event can be reviewed and merged.

sigstore-bot commented 3 months ago

Current signing event state

Event sign/targets-v7 (commit 987e1b1)

:white_check_mark: targets

Role targets is verified and signed by 1/1 signers (@kommendorkapten). Still missing signatures from @jku, @joshuagl, @mnm678 Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7

Signing event is successful

Threshold of signatures has been reached: this signing event can be reviewed and merged.

jku commented 3 months ago

I've not forgotten this: I suggest we keep this on hold until next week.

I'd like to see if we can figure out a solution to https://github.com/theupdateframework/tuf-on-ci/issues/208 during kubecon (and if we could then test it out in this PR after the fix)

Expiry is 2024-04-09 so we have plenty of time.

haydentherapper commented 3 months ago

FYI we have currently configured the probers to alert if we're within 15 days of any TUF metadata expiration - https://github.com/sigstore/sigstore-probers/actions/runs/8419985256/job/23053755063#step:7:435

Do we need to update this for staging? Is a week more appropriate?

jku commented 3 months ago

15 days sounds fine: this short expiry should be exceptional and was only used to verify that the signing event does get created...

We should have this signing event handled this week and then the expiry will be set to a more conventional value.

Let me know if thats still too long (we can get the event done tomorrow if needed)

bobcallaway commented 3 months ago

this is paging on-call right now, so if we should temporarily drop the check to < 7 days to give you time to do this, let me know.

jku commented 3 months ago

this is paging on-call right now, so if we should temporarily drop the check to < 7 days to give you time to do this, let me know.

Ah I see. That sounds good to me, please drop it to 7 days temporarily

jku commented 3 months ago

Ok, tuf-on-ci signer has been updated so signing flow for non-maintainers should work better now. I will now do the expiry changes in this signing event and will add another comment when I'm done:

let's keep the expiry times a bit shorter than production (3 month expiry instead of 6):
- this gives us a bit more experience of signing events
- is still not a major maintenance burden (as two signers will be enough)
let's use the same expiry and signing period values for both root and targets: this is what production does so makes sense to test signing tools with that. Note that there is also a discussion about making the expiry times different: https://github.com/theupdateframework/tuf-on-ci/issues/230 -- for now let's make staging operate like production does
signing period starts 5 weeks before expiry, like production

I'm going to do those changes now: signers if you have opinions about the above, let me know -- it's not too late to still change those numbers.

sigstore-bot commented 3 months ago

Current signing event state

Event sign/targets-v7 (commit cc1293d)

:x: root

Role root is not yet verified. It is signed by 1/2 (1/2) signers (@jku). Still missing signatures from @joshuagl, @kommendorkapten, @mnm678 Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7

:white_check_mark: targets

Role targets is verified and signed by 2/1 signers (@jku, @kommendorkapten). Still missing signatures from @mnm678, @joshuagl Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7

sigstore-bot commented 3 months ago

Current signing event state

Event sign/targets-v7 (commit f0da681)

:x: root

Role root is not yet verified. It is signed by 1/2 (1/2) signers (@jku). Still missing signatures from @mnm678, @kommendorkapten, @joshuagl Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7

:white_check_mark: targets

Role targets is verified and signed by 1/1 signers (@jku). Still missing signatures from @mnm678, @kommendorkapten, @joshuagl Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7

jku commented 3 months ago

OK, this is now good to sign if you're happy with the changes:

I've set the expiry on both root and targets to 91 days (with signing period of 35 days): in practice this will mean signing events every two months or so (we can change if it turns out to be too much)
when you sign, please use tuf-on-ci-sign 0.8. If you used a virtualenv as documented in the manual, this should work:
```
source ~/.venvs/tuf-on-ci-sign/bin/activate
pip install --upgrade tuf-on-ci-sign
tuf-on-ci-sign sign/targets-v7
```
please let me know if the signing flow is better now

sigstore-bot commented 3 months ago

Current signing event state

Event sign/targets-v7 (commit 8884b55)

:white_check_mark: root

Role root is verified and signed by 2/2 (2/2) signers (@kommendorkapten, @jku). Still missing signatures from @joshuagl, @mnm678 Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7

:white_check_mark: targets

Role targets is verified and signed by 2/1 signers (@kommendorkapten, @jku). Still missing signatures from @joshuagl, @mnm678 Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7

Signing event is successful

Threshold of signatures has been reached: this signing event can be reviewed and merged.

sigstore-bot commented 3 months ago

Current signing event state

Event sign/targets-v7 (commit ddd28e5)

:white_check_mark: root

Role root is verified and signed by 3/2 (3/2) signers (@jku, @joshuagl, @kommendorkapten). Still missing signatures from @mnm678 Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7

:white_check_mark: targets

Role targets is verified and signed by 2/1 signers (@jku, @kommendorkapten). Still missing signatures from @mnm678, @joshuagl Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7

Signing event is successful

Threshold of signatures has been reached: this signing event can be reviewed and merged.

jku commented 3 months ago

interesting, will have to take a look what happened here:

Still missing signatures from @mnm678, @joshuagl

joshuas signature looks fine to me -- maybe a bug in the signing event description

mnm678 commented 3 months ago

I opened my pr so we can check if it happens again

sigstore-bot commented 3 months ago

Current signing event state

Event sign/targets-v7 (commit 09d22fa)

:white_check_mark: root

Role root is verified and signed by 4/2 (4/2) signers (@mnm678, @jku, @joshuagl, @kommendorkapten).

:white_check_mark: targets

Role targets is verified and signed by 3/1 signers (@mnm678, @kommendorkapten, @jku). Still missing signatures from @joshuagl Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7

Signing event is successful

Threshold of signatures has been reached: this signing event can be reviewed and merged.

sigstore-bot commented 3 months ago

Current signing event state

Event sign/targets-v7 (commit 1202e48)

:white_check_mark: root

Role root is verified and signed by 4/2 (4/2) signers (@mnm678, @joshuagl, @kommendorkapten, @jku).

:white_check_mark: targets

Role targets is verified and signed by 4/1 signers (@joshuagl, @kommendorkapten, @jku, @mnm678).

Signing event is successful

Threshold of signatures has been reached: this signing event can be reviewed and merged.

joshuagl commented 3 months ago

interesting, will have to take a look what happened here:

Still missing signatures from @mnm678, @joshuagl

joshuas signature looks fine to me -- maybe a bug in the signing event description

https://github.com/theupdateframework/tuf-on-ci/issues/236 describes some investigation we performed. The signature was indeed bad. We're unsure how a bad signature was generated (Unfortunately, I didn't retain the signing environment and we could not reproduce).

Re-signing didn't replicate the issue, we got a good signature, which I've verified locally and was merged above.

Jussi has volunteered to add a post-signing verification step to ensure the tool doesn't push garbage signatures in future.

sigstore / root-signing-staging