Skip to content

jku/root-signing

 
 

Repository files navigation

This directory contains the programs needed to generate and verify Sigstore root keys and create signed TUF metadata.

TUF Repository Structure

The current published repository metadata lives in the repository subfolder of this GitHub repository. In this repository, you will find the top-level TUF metadata files, delegations, and target files.

  • root.json: This is the current root.json. It is signed by at least 3 out of the 5 current root keyholders. The top-level signing keys endorsed by the root are:
Role TUF Key ID(s) Description
Root See below The offline keyholders.
Targets See below The offline keyholders, the same as the root keyholders to minimize the number of offline keysets.
Snapshot fc61191ba8a516fe386c7d6c97d918e1d241e1589729add09b122725b8c32451 A GCP KMS snapshotting key located at projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/snapshot
Timestamp b6710623a30c010738e64c5209d367df1c0a18cf90e6ab5292fb01680f83453d A GCP KMS timestamping key located at projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp
  • targets.json: This is the list of trusted targets.json endorsed by the offline keyholders. It includes:
Target Description
fulcio_v1.crt.pem This is the Fulcio root certificate used to issue short-lived code signing certs. It is hosted at https://fulcio.sigstore.dev. You can curl the running root CA chain to ensure the first PEM-encoded certificate matches the TUF root using curl -v https://fulcio.sigstore.dev/api/v1/rootCert
fulcio_intermediate_v1.crt.pem This is the Fulcio intermediate certificate used to issue short-lived code signing certs. It is hosted at https://fulcio.sigstore.dev. You can curl the running CA chain to ensure the second PEM-encoded certificate matches the TUF root using curl -v https://fulcio.sigstore.dev/api/v1/rootCert
fulcio.crt.pem This is the Fulcio root certificate used with an older instance of Fulcio. We maintain this target to verify old certificates but is no longer used to sign newly issued certificates.
rekor.pub This is the Rekor public key used to sign entries and the tree head of the transparency log. You can retrieve the public key to ensure it matches with curl -H 'Content-Type: application/x-pem-file' https://rekor.sigstore.dev/api/v1/log/publicKey.
rekor.0.pub This is a dupe of rekor.pub and will be removed in the next root-signing event.
ctfe.pub Certificate Transparency log key for the first log shard (ctfe.sigstore.dev/test), that is used for certificates issued by Fulcio and used to verify signed certificate timestamps (SCTs) for inclusion into the log.
ctfe_2022.pub Certificate Transparency log key for the 2022 log shard (ctfe.sigstore.dev/2022), that is used for certificates issued by Fulcio and used to verify signed certificate timestamps (SCTs) for inclusion into the log.
artifact.pub Key that signs Sigstore project (Cosign, Rekor, Fulcio) releases.
  • snapshot.json: The snapshot ensures consistency of the metadata files. It has a lifetime of 3 weeks and is re-signed by a GitHub workflow.
  • timestamp.json: The timestamp indicates the freshness of the metadata files. It has a lifetime of 1 week and is re-signed by two GitHub workflows 1, 2.

Staging

There is a separate root-signing-staging repository: any non-trivial changes should be tested in root-signing-staging before introducing them in root-signing.

Root locations

The current root is published on a GCS bucket located at https://storage.googleapis.com/sigstore-tuf-root, and is addressable via CDN at https://tuf-repo-cdn.sigstore.dev.

The pre-production root is published on a GCS bucket located at https://storage.googleapis.com/sigstore-preprod-tuf-root, and is addressable via CDN at https://tuf-preprod-repo-cdn.sigstore.dev.

Sigstore Root Keyholders

Current Keyholders

Keyholder TUF Key ID Yubikey Material Term
Joshua Lock fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f (v9+) 2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de (v5-8) 75e867ab10e121fdef32094af634707f43ddd79c6bab8ad6c5ab9f03f4ea8c90 (deprecated) 18158855 July 2022 -
Bob Callaway e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523 (v9+) 7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b (v5-8) f505595165a177a41750a8e864ed1719b1edfccd5a426fd2c0ffda33ce7ff209 (deprecated) 15938791 June 2021 -
Dan Lorenc 3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e (v9+) ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c (v5-8) 2f64fb5eac0cf94dd39bb45308b98920055e9a0d8e012a7220787834c60aef97 (deprecated) 13078778 June 2021 -
Marina Moore ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e (v9+) 25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99 (v5-8) eaf22372f417dd618a46f6c627dbc276e9fd30a004fc94f9be946e73f8bd090b (deprecated) 14470876 June 2021 -
Santiago Torres-Arias 1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849 (v9+) f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f (v5-8) f40f32044071a9365505da3d1e3be6561f6f22d0e60cf51df783999f6c3429cb (deprecated) 15938765 June 2021 -

Emeritus Keyholders

Keyholder TUF Key ID Yubikey Material Term
Luke Hinds bdde902f5ec668179ff5ca0dabf7657109287d690bf97e230c21d65f99155c62 14454335 June 2021 - July 2022

Ceremony Overview

Ceremonies are currently staged in ceremony/YYYY-MM-DD according to the date the ceremony was initiated. Ceremonies that resulted in invalid metadata (for whatever reason) and are incomplete are moved into the ceremony/defunct directory.

At the end of the ceremony, new repository metadata will be written to a ceremony/YYYY-MM-DD/repository directory.

The ceremony will be completed in five rounds:

image

  • Round 1: Add Key
  • Round 1.5: Initialize TUF metadata
  • Round 2: Sign Root & Targets
  • Round 3: Sign Snapshot & Timestamp
  • Round 4: Publish final repository.

Ceremony Instructions

Before starting the root key ceremony, the community should:

  • Designate the 5 root keyholders
  • Elect one participant (not necessarily a keyholder) as the conductor
  • Identify the targets to sign and update the targets/ directory (these may include Fulcio's CA certificate, the rekor transparency log key, the CTFE key, and SigStore's artifact signing key)
  • Identify the online keys for snapshot and timestamp roles. The key references should be updated in scripts/step-1.5.sh.

If you are a keyholder follow instructions on the landing page KEYHOLDER.md.

If you are an orchestrator, follow instructions on ORCHESTRATION.md.

If you are a verifier, follow instructions at VERIFIER.md.

Acknowledgements

Special thanks to Dan Lorenc, Trishank Kuppusamy, Marina Moore, Santiago Torres-Arias, and the whole SigStore community!

Initial Root Signing Ceremony

A recording of the signing ceremony is available here.

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Go 88.2%
  • Shell 9.9%
  • Python 1.1%
  • Makefile 0.8%