Closed sigstore-bot closed 3 months ago
Event sign/targets-v7 (commit 6676f60)
Role targets
is unsigned and not yet verified
Still missing signatures from @jku, @mnm678, @kommendorkapten, @joshuagl
Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7
This is the automated signing event that was started because 2 weeks a go we set
So things seem to be working ok.
Please don't sign yet: I'll make a change here tomorrow that bumps those periods so we don't need to do this every few weeks
Event sign/targets-v7 (commit ee8c0fe)
Role targets
is verified and signed by 1/1 signers (@kommendorkapten).
Still missing signatures from @joshuagl, @jku, @mnm678
Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7
Threshold of signatures has been reached: this signing event can be reviewed and merged.
Event sign/targets-v7 (commit 987e1b1)
Role targets
is verified and signed by 1/1 signers (@kommendorkapten).
Still missing signatures from @jku, @joshuagl, @mnm678
Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7
Threshold of signatures has been reached: this signing event can be reviewed and merged.
I've not forgotten this: I suggest we keep this on hold until next week.
I'd like to see if we can figure out a solution to https://github.com/theupdateframework/tuf-on-ci/issues/208 during kubecon (and if we could then test it out in this PR after the fix)
Expiry is 2024-04-09 so we have plenty of time.
FYI we have currently configured the probers to alert if we're within 15 days of any TUF metadata expiration - https://github.com/sigstore/sigstore-probers/actions/runs/8419985256/job/23053755063#step:7:435
Do we need to update this for staging? Is a week more appropriate?
15 days sounds fine: this short expiry should be exceptional and was only used to verify that the signing event does get created...
We should have this signing event handled this week and then the expiry will be set to a more conventional value.
Let me know if thats still too long (we can get the event done tomorrow if needed)
this is paging on-call right now, so if we should temporarily drop the check to < 7 days to give you time to do this, let me know.
this is paging on-call right now, so if we should temporarily drop the check to < 7 days to give you time to do this, let me know.
Ah I see. That sounds good to me, please drop it to 7 days temporarily
Ok, tuf-on-ci signer has been updated so signing flow for non-maintainers should work better now. I will now do the expiry changes in this signing event and will add another comment when I'm done:
I'm going to do those changes now: signers if you have opinions about the above, let me know -- it's not too late to still change those numbers.
Event sign/targets-v7 (commit cc1293d)
Role root
is not yet verified. It is signed by 1/2 (1/2) signers (@jku).
Still missing signatures from @joshuagl, @kommendorkapten, @mnm678
Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7
Role targets
is verified and signed by 2/1 signers (@jku, @kommendorkapten).
Still missing signatures from @mnm678, @joshuagl
Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7
Event sign/targets-v7 (commit f0da681)
Role root
is not yet verified. It is signed by 1/2 (1/2) signers (@jku).
Still missing signatures from @mnm678, @kommendorkapten, @joshuagl
Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7
Role targets
is verified and signed by 1/1 signers (@jku).
Still missing signatures from @mnm678, @kommendorkapten, @joshuagl
Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7
OK, this is now good to sign if you're happy with the changes:
root
and targets
to 91 days (with signing period of 35 days): in practice this will mean signing events every two months or so (we can change if it turns out to be too much)source ~/.venvs/tuf-on-ci-sign/bin/activate
pip install --upgrade tuf-on-ci-sign
tuf-on-ci-sign sign/targets-v7
Event sign/targets-v7 (commit 8884b55)
Role root
is verified and signed by 2/2 (2/2) signers (@kommendorkapten, @jku).
Still missing signatures from @joshuagl, @mnm678
Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7
Role targets
is verified and signed by 2/1 signers (@kommendorkapten, @jku).
Still missing signatures from @joshuagl, @mnm678
Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7
Threshold of signatures has been reached: this signing event can be reviewed and merged.
Event sign/targets-v7 (commit ddd28e5)
Role root
is verified and signed by 3/2 (3/2) signers (@jku, @joshuagl, @kommendorkapten).
Still missing signatures from @mnm678
Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7
Role targets
is verified and signed by 2/1 signers (@jku, @kommendorkapten).
Still missing signatures from @mnm678, @joshuagl
Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7
Threshold of signatures has been reached: this signing event can be reviewed and merged.
interesting, will have to take a look what happened here:
Still missing signatures from @mnm678, @joshuagl
joshuas signature looks fine to me -- maybe a bug in the signing event description
I opened my pr so we can check if it happens again
Event sign/targets-v7 (commit 09d22fa)
Role root
is verified and signed by 4/2 (4/2) signers (@mnm678, @jku, @joshuagl, @kommendorkapten).
Role targets
is verified and signed by 3/1 signers (@mnm678, @kommendorkapten, @jku).
Still missing signatures from @joshuagl
Signers can sign these changes by running tuf-on-ci-sign sign/targets-v7
Threshold of signatures has been reached: this signing event can be reviewed and merged.
Event sign/targets-v7 (commit 1202e48)
Role root
is verified and signed by 4/2 (4/2) signers (@mnm678, @joshuagl, @kommendorkapten, @jku).
Role targets
is verified and signed by 4/1 signers (@joshuagl, @kommendorkapten, @jku, @mnm678).
Threshold of signatures has been reached: this signing event can be reviewed and merged.
interesting, will have to take a look what happened here:
Still missing signatures from @mnm678, @joshuagl
joshuas signature looks fine to me -- maybe a bug in the signing event description
https://github.com/theupdateframework/tuf-on-ci/issues/236 describes some investigation we performed. The signature was indeed bad. We're unsure how a bad signature was generated (Unfortunately, I didn't retain the signing environment and we could not reproduce).
Re-signing didn't replicate the issue, we got a good signature, which I've verified locally and was merged above.
Jussi has volunteered to add a post-signing verification step to ensure the tool doesn't push garbage signatures in future.
Processing signing event sign/targets-v7, please wait.