From f9b651b8eb61dfd94a98407853c5a97ab2d01651 Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Fri, 30 Aug 2024 18:38:46 +0200 Subject: [PATCH] Revert "Signing event: sign/migration" --- .github/workflows/{lint.yml => ci-test.yml} | 54 +++- .github/workflows/cosign-test.yml | 48 ++++ .github/workflows/create-signing-events.yml | 5 +- .github/workflows/delegation-pop-verify.yml | 54 ++++ .github/workflows/initialize.yml | 161 ++++++++++++ .github/workflows/online-sign.yml | 11 +- .github/workflows/release.yml | 86 +++++++ .../reuseable-snapshot-timestamp.yml | 234 ++++++++++++++++++ .../workflows/review-snapshot-timestamp.yml | 39 +++ .github/workflows/scripts/dpop-wrapper.sh | 28 +++ .github/workflows/scripts/e2e-utils.sh | 38 +++ .../workflows/scripts/review-pull-request.sh | 70 ++++++ .../workflows/stable-snapshot-timestamp.yml | 105 ++++++++ .github/workflows/stable-timestamp.yml | 99 ++++++++ .../workflows/staging-snapshot-timestamp.yml | 44 ++++ .github/workflows/sync-ceremony-to-main.yml | 74 ++++++ .../sync-main-to-preprod-and-prod.yml | 144 +++++++++++ .github/workflows/sync-main-to-preprod.yml | 109 ++++++++ .github/workflows/sync-preprod-to-prod.yml | 79 ++++++ .github/workflows/test-gcs.yml | 5 +- .github/workflows/test.yml | 5 +- .github/workflows/tuf_client_tests.yml | 100 ++++++++ .github/workflows/validate.yml | 62 +++++ metadata/registry.npmjs.org.json | 14 +- metadata/root.json | 123 +++++---- metadata/root_history/10.root.json | 165 ------------ metadata/targets.json | 39 +-- 27 files changed, 1731 insertions(+), 264 deletions(-) rename .github/workflows/{lint.yml => ci-test.yml} (50%) create mode 100644 .github/workflows/cosign-test.yml create mode 100644 .github/workflows/delegation-pop-verify.yml create mode 100644 .github/workflows/initialize.yml create mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/reuseable-snapshot-timestamp.yml create mode 100644 .github/workflows/review-snapshot-timestamp.yml create mode 100755 .github/workflows/scripts/dpop-wrapper.sh create mode 100644 .github/workflows/scripts/e2e-utils.sh create mode 100755 .github/workflows/scripts/review-pull-request.sh create mode 100644 .github/workflows/stable-snapshot-timestamp.yml create mode 100644 .github/workflows/stable-timestamp.yml create mode 100644 .github/workflows/staging-snapshot-timestamp.yml create mode 100644 .github/workflows/sync-ceremony-to-main.yml create mode 100644 .github/workflows/sync-main-to-preprod-and-prod.yml create mode 100644 .github/workflows/sync-main-to-preprod.yml create mode 100644 .github/workflows/sync-preprod-to-prod.yml create mode 100644 .github/workflows/tuf_client_tests.yml create mode 100644 .github/workflows/validate.yml delete mode 100644 metadata/root_history/10.root.json diff --git a/.github/workflows/lint.yml b/.github/workflows/ci-test.yml similarity index 50% rename from .github/workflows/lint.yml rename to .github/workflows/ci-test.yml index ef563fbd..46e5e7eb 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/ci-test.yml @@ -13,13 +13,31 @@ # See the License for the specific language governing permissions and # limitations under the License. -name: Lint +name: CI Test on: push: + paths-ignore: + - 'ceremony/**' pull_request: + paths-ignore: + - 'ceremony/**' jobs: + golangci: + name: lint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: './go.mod' + check-latest: true + - name: golangci-lint + uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 + with: + version: v1.59 + yamllint: runs-on: ubuntu-latest steps: @@ -47,6 +65,40 @@ jobs: with: actionlint_flags: -color -shellcheck= + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: './go.mod' + check-latest: true + - name: install deps + run: | + sudo apt-get install libpcsclite-dev + - name: Test + run: go test -tags=pivkey -v ./... + - name: Ensure no files were modified as a result of the build + run: git update-index --refresh && git diff-index --quiet HEAD -- || git diff --exit-code + + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: './go.mod' + check-latest: true + - name: install deps + run: | + sudo apt-get install libpcsclite-dev + - name: build verification + run: go build -o verify ./cmd/verify/ + - name: build TUF script + run: go build -o tuf -tags=pivkey ./cmd/tuf + - name: build test script + run: go build -o keygen -tags=pivkey ./tests/keygen + shellcheck: name: Shellcheck runs-on: ubuntu-latest diff --git a/.github/workflows/cosign-test.yml b/.github/workflows/cosign-test.yml new file mode 100644 index 00000000..fe792b58 --- /dev/null +++ b/.github/workflows/cosign-test.yml @@ -0,0 +1,48 @@ +# +# Copyright 2022 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Cosign tests + +on: + workflow_dispatch: + push: + paths: + - 'repository/**' + pull_request: + +jobs: + validate: + env: + COSIGN_EXPERIMENTAL: "true" + runs-on: ubuntu-latest + steps: + # Install cosign + - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + + # Set up a repository server with python + - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + with: + python-version: '3.x' + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 2 + - run: | + cd repository/repository/ + python -m http.server 8001 & + echo "REPO=http://localhost:8001" >> $GITHUB_ENV + + # Test cosign initialize + - name: cosign initialize on published repository + run: cosign initialize --mirror http://localhost:8001 diff --git a/.github/workflows/create-signing-events.yml b/.github/workflows/create-signing-events.yml index 95c8c097..6dfce059 100644 --- a/.github/workflows/create-signing-events.yml +++ b/.github/workflows/create-signing-events.yml @@ -1,8 +1,9 @@ name: TUF-on-CI create Signing events on: - schedule: - - cron: '17 1,7,13,19 * * *' + # disabled during migration + #schedule: + # - cron: '17 1,7,13,19 * * *' workflow_dispatch: permissions: {} diff --git a/.github/workflows/delegation-pop-verify.yml b/.github/workflows/delegation-pop-verify.yml new file mode 100644 index 00000000..50a43bb4 --- /dev/null +++ b/.github/workflows/delegation-pop-verify.yml @@ -0,0 +1,54 @@ +# +# Copyright 2023 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Verify POP for a delegation + +on: + pull_request: + branches: + - 'ceremony/**' + - 'test-ceremony/**' + - 'test-delegation/**' + +jobs: + verify: + if: ${{ startsWith(github.event.pull_request.title, 'feat/add-delegation for ') }} + runs-on: ubuntu-latest + permissions: + contents: 'write' + pull-requests: 'read' + env: + GITHUB_TOKEN: ${{ secrets.SIGSTORE_REVIEW_BOT_FINE_GRAINED_PAT }} + PR_NUMBER: ${{ github.event.pull_request.number }} + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 0 + + - name: Setup go + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: './go.mod' + check-latest: true + + - name: Install deps + run: sudo apt-get install libpcsclite-dev + + - name: build + run: make tuf + + - name: Verify POP + run: .github/workflows/scripts/dpop-wrapper.sh "${{ github.event.pull_request.title }}" diff --git a/.github/workflows/initialize.yml b/.github/workflows/initialize.yml new file mode 100644 index 00000000..2280d1a6 --- /dev/null +++ b/.github/workflows/initialize.yml @@ -0,0 +1,161 @@ +# +# Copyright 2022 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Stage a new root and targets on a new branch + +permissions: read-all + +# Execute this ONLY as workflow dispatch. +on: + workflow_dispatch: + inputs: + branch: + description: 'The branch to stage changes against, generally ceremony/YYYY-MM-DD' + required: true + type: string + revoke_key: + description: 'If provided, revokes the given HSM key, identified by the serial number' + required: false + type: string + repo: + description: 'The repository in which to stage a new root and targets' + required: false + default: repository + type: string + draft: + description: 'Use for testing; creates a draft pull request' + required: false + default: false + type: boolean + +jobs: + check_branch: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 0 + - name: Check if remote branch exists + env: + BRANCH: ${{ inputs.branch }} + run: | + branch_exists=$(git ls-remote --heads origin ${BRANCH}) + + if [[ -z ${branch_exists} ]]; then + echo "Staging root branch ${BRANCH} does not exist: has a maintainer created one?" + exit 1 + fi + + init_root: + runs-on: ubuntu-latest + needs: check_branch + permissions: + id-token: 'write' + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 0 + # TODO(https://github.com/sigstore/root-signing/issues/98): Use a common configuration checked into source control + - name: setup environment + run: | + echo "GITHUB_USER=${{ github.actor }}" >> $GITHUB_ENV + echo "SNAPSHOT_KEY=gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/snapshot" >> $GITHUB_ENV + echo "TIMESTAMP_KEY=gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp" >> $GITHUB_ENV + echo "REPO=${{ inputs.repo }}" >> $GITHUB_ENV + echo "BRANCH=${{ inputs.branch }}" >> $GITHUB_ENV + # Note: we set LOCAL=1 because we manually push the changes in the next job. + echo "LOCAL=1" >> $GITHUB_ENV + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: './go.mod' + check-latest: true + # Setup OIDC->SA auth for signing with KMS + - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + id: auth + with: + token_format: 'access_token' + workload_identity_provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' + service_account: 'github-actions@sigstore-root-signing.iam.gserviceaccount.com' + create_credentials_file: true + - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 + with: + project_id: sigstore-root-signing + - name: Login + run: | + gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" + gcloud auth list + + # Initialize the new root and targets layout + - name: step 0 + # Note that we are already in a git repository and are manually pushing changes with the job below + # so we can simply build the TUF binary and bypass git setup in step 0. + run: | + sudo apt-get install libpcsclite-dev + go build -o tuf -tags=pivkey ./cmd/tuf + - name: step 1.5 + run: | + ./scripts/step-1.5.sh ${{ inputs.revoke_key }} + - name: Upload new repository + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + with: + name: ${{ inputs.repo }} + path: ${{ inputs.repo }} + retention-days: 5 + + push: + needs: init_root + runs-on: ubuntu-latest + permissions: + pull-requests: 'write' + contents: 'write' + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + ref: ${{ inputs.branch }} + fetch-depth: 0 + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: ${{ inputs.repo }} + path: ${{ inputs.repo }} + # Detect new version and expiration to add to the PR description. + - name: Detect new version + env: + REPO: ${{ inputs.repo }} + run: | + # Detects the new root version. + VERSION=$(cat ${REPO}/staged/root.json | jq -r '.signed.version') + echo "VERSION=$VERSION" >> $GITHUB_ENV + + # Create commits + - name: Create commits + env: + REPO: ${{ inputs.repo }} + run: | + # Set identity. + git config --global user.email "noreply@github.com" + git config --global user.name "GitHub" + + git checkout -b init-root-targets + # Commit the REPO changes + git add ${REPO} + git commit -s -m "Add staged repository metadata" + git push origin HEAD + + # Open pull request changes. Use the fine-grained PAT in order to trigger presubmits. + - name: create pull request + env: + DRAFT: ${{ inputs.draft && '-d' || '' }} + run: + GH_TOKEN=${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }} gh pr create -B ${{ inputs.branch }} -H init-root-targets -t "Update Root and Targets to version ${{ env.VERSION }}" -b "Initializes a new root and targets to version ${{ env.VERSION }}" ${DRAFT} -r bobcallaway -r haydentherapper -r kommendorkapten diff --git a/.github/workflows/online-sign.yml b/.github/workflows/online-sign.yml index eed0c1bd..92d1c1f2 100644 --- a/.github/workflows/online-sign.yml +++ b/.github/workflows/online-sign.yml @@ -3,11 +3,12 @@ name: TUF-on-CI online signing permissions: {} on: - schedule: - - cron: '17 1,7,13,19 * * *' - push: - branches: [main] - paths: ['metadata/**', '!metadata/timestamp.json', '!metadata/snapshot.json'] + # disabled during migration + #schedule: + # - cron: '17 1,7,13,19 * * *' + #push: + # branches: [ main ] + # paths: ['metadata/**', '!metadata/timestamp.json', '!metadata/snapshot.json'] workflow_dispatch: jobs: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..834d1b17 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,86 @@ +# +# Copyright 2023 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: cut-release + +on: + push: + tags: + - "v*" + +# Note: read permissions are set globally. +jobs: + release: + runs-on: ubuntu-latest + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + outputs: + hashes: ${{ steps.hash.outputs.hashes }} + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: './go.mod' + check-latest: true + + - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + - uses: anchore/sbom-action/download-syft@ab9d16d4b419c9d1a02df5213fa0ebe965ca5a57 # v0.17.1 + - uses: imjasonh/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7 + + - name: Set LDFLAGS + id: ldflags + run: | + source ./release/ldflags.sh + goflags=$(ldflags) + echo "GO_FLAGS="${goflags}"" >> "$GITHUB_ENV" + + - name: Run GoReleaser + id: run-goreleaser + uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 + with: + version: latest + args: release --clean + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + LDFLAGS: ${{ env.GO_FLAGS }} + + - name: Generate subject + id: hash + env: + ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" + run: | + set -euo pipefail + checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') + echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT" + + - name: Set tag output + id: tag + run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT" + + provenance: + needs: [release] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + with: + base64-subjects: "${{ needs.release.outputs.hashes }}" + upload-assets: true # upload to a new release + upload-tag-name: "${{ needs.release.outputs.tag_name }}" # Upload to tag rather than generate a new release + draft-release: true diff --git a/.github/workflows/reuseable-snapshot-timestamp.yml b/.github/workflows/reuseable-snapshot-timestamp.yml new file mode 100644 index 00000000..c0a9f1e3 --- /dev/null +++ b/.github/workflows/reuseable-snapshot-timestamp.yml @@ -0,0 +1,234 @@ +# +# Copyright 2021 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Snapshot and Timestamp Template + +# Reusable workflow that runs snapshot and timestamp on directories. +# TODO(asraa): Create user workflows for repository-beta/, and ceremony/ flows. +on: + workflow_call: + secrets: + token: + description: > + Optional token. + This argument is passed, unchanged, to the job that creates the pull request. + required: false + inputs: + snapshot_key: + description: 'Sets the snapshotting key reference' + required: false + type: string + timestamp_key: + description: 'Sets the timestamping key reference' + required: true + type: string + branch: + description: 'The branch where the staged repository is, e.g. ceremony/2022-10-18' + required: true + type: string + repo: + description: 'Sets the repository to perform the operation on: expects relative path to GitHub repository, for example: repository' + required: false + default: repository + type: string + provider: + description: 'Sets the workflow identity provider' + required: true + type: string + service_account: + description: 'Sets the GitHub service account authorized for keys' + required: true + type: string + snapshot_timestamp: + description: 'Enables snapshot/timestamp step. During ceremonies, you may flip this to false to allow for just a publish step.' + required: false + default: true + type: boolean + disable_snapshot: + description: 'Disables snapshot and only generates timestamp.' + required: false + default: false + type: boolean + publish: + description: 'Enables publishing step. During ceremonies, you may flip this to false to allow for reviewing changes before publishing.' + required: false + default: true + type: boolean + +jobs: + snapshot_and_timestamp: + runs-on: ubuntu-latest + permissions: + id-token: 'write' + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 0 + ref: ${{ inputs.branch }} + - name: setup + run: | + echo "GITHUB_USER=${{ github.actor }}" >> $GITHUB_ENV + echo "REPO=$(pwd)/${{ inputs.repo }}" >> $GITHUB_ENV + echo "SNAPSHOT_KEY=${{ inputs.snapshot_key }}" >> $GITHUB_ENV + echo "TIMESTAMP_KEY=${{ inputs.timestamp_key }}" >> $GITHUB_ENV + echo "BRANCH=${{ inputs.branch }}" >> $GITHUB_ENV + # Note: we set LOCAL=1 because we manually push the changes in the next job. + echo "LOCAL=1" >> $GITHUB_ENV + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: './go.mod' + check-latest: true + # Setup OIDC->SA auth + - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + id: auth + with: + token_format: 'access_token' + workload_identity_provider: ${{ inputs.provider }} + service_account: ${{ inputs.service_account }} + create_credentials_file: true + - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 + with: + # Note: This needs to be parameterized if the KMS keys are in a different project + project_id: sigstore-root-signing + - name: Login + run: | + gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" + gcloud auth list + + # Build binary + - name: build + run: | + sudo apt-get install libpcsclite-dev + go build -o tuf -tags=pivkey ./cmd/tuf/ + + - name: setup timestamping + if: ${{ inputs.disable_snapshot }} + run: | + echo "DISABLE_SNAPSHOT=1" >> $GITHUB_ENV + + # Snapshot and timestamp + - name: snapshot and timestamp + if: ${{ inputs.snapshot_timestamp }} + run: | + ./scripts/step-3.sh + + # Publish + - name: publish + if: ${{ inputs.publish }} + run: | + ./scripts/step-4.sh + + - name: get patch + run: | + # Setting git config is only needed to create the patch to download in the next step. + git config user.name "GitHub Actions Bot" + git config user.email "<>" + # Commit and create patch + git add . + git commit -m "snapshot and timestamp" + git format-patch HEAD^ -o snapshot-timestamp + + - name: Upload snapshot and timestamp + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + with: + name: snapshot-timestamp + path: snapshot-timestamp + retention-days: 5 + + if-failed: + runs-on: ubuntu-latest + needs: [snapshot_and_timestamp] + permissions: + issues: 'write' + actions: 'read' + if: always() && needs.snapshot_and_timestamp.result == 'failure' + steps: + - name: Open issue or add comment on failure + uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main + with: + comment_for_each_failure: true + + if-pass: + runs-on: ubuntu-latest + needs: [snapshot_and_timestamp] + permissions: + issues: 'write' + actions: 'read' + if: always() && needs.snapshot_and_timestamp.result == 'success' + steps: + - name: Close issue if one is open + uses: sigstore/sigstore-probers/.github/actions/close-workflow-issue@main + + push: + needs: snapshot_and_timestamp + runs-on: ubuntu-latest + permissions: + pull-requests: 'write' + contents: 'write' + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 0 + ref: ${{ inputs.branch }} + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: snapshot-timestamp + path: snapshot-timestamp + - run: | + git checkout -b update-snapshot-timestamp + git apply --verbose snapshot-timestamp/* + rm -r snapshot-timestamp + git add ${{ inputs.repo }} + git config --global user.email "noreply@github.com" + git config --global user.name "GitHub" + + # Open pull request changes + - name: create pull request for no snapshot + if: ${{ inputs.disable_snapshot }} + run: | + git commit -s -m "Update timestamp" + git push origin update-snapshot-timestamp + GH_TOKEN=${{ secrets.token || secrets.GITHUB_TOKEN }} gh pr create -B ${{ inputs.branch }} -H update-snapshot-timestamp -t "Update Timestamp" -b "Sign timestamp file" -r bobcallaway -r haydentherapper -r kommendorkapten + + - name: create pull request for timestamp/snapshot + if: ${{ !inputs.disable_snapshot }} + run: | + git commit -s -m "Update snapshot and timestamp" + git push origin update-snapshot-timestamp + GH_TOKEN=${{ secrets.token || secrets.GITHUB_TOKEN }} gh pr create -B ${{ inputs.branch }} -H update-snapshot-timestamp -t "Update Snapshot and Timestamp" -b "Sign snapshot and timestamp files" -r bobcallaway -r haydentherapper -r kommendorkapten + + if-push-failed: + runs-on: ubuntu-latest + needs: [push] + permissions: + issues: 'write' + actions: 'read' + if: always() && needs.push.result == 'failure' + steps: + - name: Open issue or add comment on failure + uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main + with: + comment_for_each_failure: true + + if-push-pass: + runs-on: ubuntu-latest + needs: [push] + permissions: + issues: 'write' + actions: 'read' + if: always() && needs.push.result == 'success' + steps: + - name: Close issue if one is open + uses: sigstore/sigstore-probers/.github/actions/close-workflow-issue@main diff --git a/.github/workflows/review-snapshot-timestamp.yml b/.github/workflows/review-snapshot-timestamp.yml new file mode 100644 index 00000000..f5491882 --- /dev/null +++ b/.github/workflows/review-snapshot-timestamp.yml @@ -0,0 +1,39 @@ +# +# Copyright 2022 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Review Snapshot and Timestamp + +permissions: read-all + +on: + # Enable cron for checking if a snapshot/timestamp PR needs review + # every 2 hours and attempts to merge. + schedule: + - cron: '30 */2 * * *' # every 2 hours + workflow_dispatch: + +jobs: + review: + runs-on: ubuntu-latest + permissions: + pull-requests: 'write' + contents: 'write' + env: + GITHUB_TOKEN: ${{ secrets.SIGSTORE_REVIEW_BOT_FINE_GRAINED_PAT }} + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - run: | + set -euo pipefail + ./.github/workflows/scripts/review-pull-request.sh diff --git a/.github/workflows/scripts/dpop-wrapper.sh b/.github/workflows/scripts/dpop-wrapper.sh new file mode 100755 index 00000000..bbd18492 --- /dev/null +++ b/.github/workflows/scripts/dpop-wrapper.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash +# +# Copyright 2023 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -euo pipefail + +# +# This is just a thin wrapper that takes on the input from a pull request +# and parses out the name of the delegation and the signature. +# It then calls the real script which will invoke the actual verification. +# +TITLE=$1 + +DELEGATION=$(echo "${TITLE}" | sed -E 's/(.+) for (.+)/\2/') +OUTPUT=$(mktemp) +./scripts/dpop-verify.sh "${DELEGATION}" 2>&1 | tee "${OUTPUT}" diff --git a/.github/workflows/scripts/e2e-utils.sh b/.github/workflows/scripts/e2e-utils.sh new file mode 100644 index 00000000..07ba66be --- /dev/null +++ b/.github/workflows/scripts/e2e-utils.sh @@ -0,0 +1,38 @@ +#!/usr/bin/env bash +# +# Copyright 2022 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Gets the name of the currently running workflow file. +# Note: this requires GITHUB_TOKEN to be set in the workflows. +this_file() { + gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3 +} + +# File is BODY in current directory. +create_issue_body() { + RUN_DATE=$(date --utc) + + # see https://docs.github.com/en/actions/learn-github-actions/environment-variables + # https://docs.github.com/en/actions/learn-github-actions/contexts. + cat <BODY +Repo: https://github.com/$GITHUB_REPOSITORY/tree/$GITHUB_REF_NAME +Run: https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID +Workflow file: https://github.com/$GITHUB_REPOSITORY/tree/main/.github/workflows/$THIS_FILE +Workflow runs: https://github.com/$GITHUB_REPOSITORY/actions/workflows/$THIS_FILE +Trigger: $GITHUB_EVENT_NAME +Branch: $GITHUB_REF_NAME +Date: $RUN_DATE +EOF +} \ No newline at end of file diff --git a/.github/workflows/scripts/review-pull-request.sh b/.github/workflows/scripts/review-pull-request.sh new file mode 100755 index 00000000..241e7845 --- /dev/null +++ b/.github/workflows/scripts/review-pull-request.sh @@ -0,0 +1,70 @@ +#!/usr/bin/env bash +# +# Copyright 2022 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail + +# Gets the open snapshot/timestamp update pull requests of the repository +timestamp_update() { + gh api -H "Accept: application/vnd.github.v3+json" "/repos/${GITHUB_REPOSITORY}/pulls?head=sigstore:update-snapshot-timestamp" | jq '.[0]' | jq 'select (.!=null)' +} + +UPDATE_PR=$(timestamp_update) +if [[ -n "${UPDATE_PR}" ]]; then + PULL_NUMBER=$(echo "${UPDATE_PR}" | jq -r '.number') + TITLE=$(echo "${UPDATE_PR}" | jq -r '.title') + echo "pull request found: " + echo "${PULL_NUMBER}" + echo "${TITLE}" + + # Approve PR + curl \ + -o review_output.json \ + -X POST \ + -H "Accept: application/vnd.github+json" \ + -H "Authorization: Bearer ${GITHUB_TOKEN}" \ + https://api.github.com/repos/"${GITHUB_REPOSITORY}"/pulls/"${PULL_NUMBER}"/reviews + + echo "review: " + cat review_output.json + + # TODO: Use gh pr review PR_NUMBER --approve + REVIEW_ID=$(jq -r '.id' review_output.json) + GH_TOKEN=$GITHUB_TOKEN gh api \ + --method POST \ + -H "Accept: application/vnd.github+json" \ + /repos/"${GITHUB_REPOSITORY}"/pulls/"${PULL_NUMBER}"/reviews/"${REVIEW_ID}"/events \ + -f event='APPROVE' + + # Get login for DCO + GH_TOKEN="${GITHUB_TOKEN}" gh api \ + -H "Accept: application/vnd.github+json" \ + /user > login.json + + LOGIN=$(jq -r '.login' login.json) + # Attempt to merge PR + GH_TOKEN="${GITHUB_TOKEN}" gh api \ + --method PUT \ + -H "Accept: application/vnd.github+json" \ + /repos/"${GITHUB_REPOSITORY}"/pulls/"${PULL_NUMBER}"/merge \ + -f commit_title="${TITLE} (#${PULL_NUMBER})" \ + -f commit_message="Signed-off-by: ${LOGIN} <${LOGIN}@users.noreply.github.com>" \ + -f merge_method='merge' + +else + echo "No open snapshot/timestamp pull request found" +fi diff --git a/.github/workflows/stable-snapshot-timestamp.yml b/.github/workflows/stable-snapshot-timestamp.yml new file mode 100644 index 00000000..4f765680 --- /dev/null +++ b/.github/workflows/stable-snapshot-timestamp.yml @@ -0,0 +1,105 @@ +# +# Copyright 2021 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Stable Snapshot and Timestamp + +permissions: read-all + +# Execute this as a weekly cron job and on changes to repository/ +# when new published metadata is submitted. +on: + # Enable cron for re-signing snapshot and timestamp every week + schedule: + - cron: '0 16 * * 2' # every Tuesday at 9am PST + # When a new root is staged + push: + branches: + - main + paths: + - 'repository/staged/root.json' + workflow_dispatch: + inputs: + dry_run: + type: boolean + default: false + description: Does not trigger job, but checks on whether the job should run. + force_snapshot: + description: 'Whether to force a snapshot. Useful if workflow is within 5 days of a ceremony' + required: false + default: false + type: boolean + +jobs: + check: + # This job checks whether snapshot/timestamp should run. + runs-on: ubuntu-latest + outputs: + block_snapshot: ${{ steps.check.outputs.block_snapshot }} + env: + FORCE_SNAPSHOT: ${{ inputs.force_snapshot }} + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 0 + - name: Determine whether to run a snapshot/timestamp + id: check + shell: bash + run: | + set -euo pipefail + + BRANCHES=$(git for-each-ref --format='%(refname:short)' | grep origin/ceremony/) + echo "${BRANCHES}" + # Check whether a ceremony was initiated within a week of the current date. + echo "block_snapshot=false" >> "${GITHUB_OUTPUT}" + + # If we force a snapshot, exit early. + if [[ "${FORCE_SNAPSHOT}" ]]; then + exit + fi + + ceremonyRegex="origin/ceremony/[0-9]{4}-[0-9]{2}-[0-9]{2}$" + for branch in ${BRANCHES} + do + if [[ "$branch" =~ ${ceremonyRegex} ]]; then + echo "found ceremony branch $branch" + branch_date=$(echo "${branch}" | cut -d '/' -f3) + days_diff=$(( ($(date -d "00:00" +%s) - $(date -d "${branch_date}" +%s)) / (24*3600) )) + if [[ "$days_diff" -lt 2 ]]; then + # Detected ceremony within 2 days of current date + echo "detected ceremony branch $branch within 2 days, stopping automated cron" + echo "block_snapshot=true" >> "${GITHUB_OUTPUT}" + fi + fi + done + + run_snapshot_timestamp_publish: + needs: check + if: (github.event_name == 'schedule' && github.repository == 'sigstore/root-signing' && needs.check.outputs.block_snapshot == 'false') || (github.event_name != 'schedule' && inputs.dry_run == false) # Don't run workflow in forks on cron + permissions: + id-token: 'write' + issues: 'write' + pull-requests: 'write' + contents: 'write' + actions: 'read' + uses: sigstore/root-signing/.github/workflows/reuseable-snapshot-timestamp.yml@main + with: + snapshot_key: 'gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/snapshot' + timestamp_key: 'gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp' + repo: 'repository/' + branch: main + provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' + service_account: 'github-actions@sigstore-root-signing.iam.gserviceaccount.com' + secrets: + token: ${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }} diff --git a/.github/workflows/stable-timestamp.yml b/.github/workflows/stable-timestamp.yml new file mode 100644 index 00000000..fd5f643c --- /dev/null +++ b/.github/workflows/stable-timestamp.yml @@ -0,0 +1,99 @@ +# +# Copyright 2021 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Stable Timestamp + +permissions: read-all + +# Execute this as a once a week cron job (in addition to stable-snapshot-timestamp) +on: + # Enable cron for re-signing timestamp every week. Timestamp is also + # regenerated in stable-snapshot-timestamp.yml + schedule: + - cron: '0 16 * * 5' # every Friday at 9am PST + workflow_dispatch: + inputs: + dry_run: + type: boolean + default: false + description: Does not trigger job, but checks on whether the job should run. + force_timestamp: + description: 'Whether to force a timestamp. Useful if workflow is within 5 days of a ceremony' + required: false + default: false + type: boolean + +jobs: + check: + # This job checks whether timestamp should run. + runs-on: ubuntu-latest + outputs: + block_timestamp: ${{ steps.check.outputs.block_timestamp }} + env: + FORCE_TIMESTAMP: ${{ inputs.force_timestamp }} + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 0 + - name: Determine whether to create a timestamp + id: check + shell: bash + run: | + set -euo pipefail + + BRANCHES=$(git for-each-ref --format='%(refname:short)' | grep origin/ceremony/) + echo "${BRANCHES}" + # Check whether a ceremony was initiated within a week of the current date. + echo "block_timestamp=false" >> "${GITHUB_OUTPUT}" + + # If we force a timestamp, exit early. + if [[ "${FORCE_TIMESTAMP}" ]]; then + exit + fi + + ceremonyRegex="origin/ceremony/[0-9]{4}-[0-9]{2}-[0-9]{2}$" + for branch in ${BRANCHES} + do + if [[ "$branch" =~ ${ceremonyRegex} ]]; then + echo "found ceremony branch $branch" + branch_date=$(echo "${branch}" | cut -d '/' -f3) + days_diff=$(( ($(date -d "00:00" +%s) - $(date -d "${branch_date}" +%s)) / (24*3600) )) + if [[ "$days_diff" -lt 2 ]]; then + # Detected ceremony within 2 days of current date + echo "detected ceremony branch $branch within 2 days, stopping automated cron" + echo "block_timestamp=true" >> "${GITHUB_OUTPUT}" + fi + fi + done + + run_timestamp_publish: + needs: check + if: (github.event_name == 'schedule' && github.repository == 'sigstore/root-signing' && needs.check.outputs.block_timestamp == 'false') || (github.event_name != 'schedule' && inputs.dry_run == false) # Don't run workflow in forks on cron + permissions: + id-token: 'write' + issues: 'write' + pull-requests: 'write' + contents: 'write' + actions: 'read' + uses: sigstore/root-signing/.github/workflows/reuseable-snapshot-timestamp.yml@main + with: + timestamp_key: 'gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp' + repo: 'repository/' + branch: main + provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' + service_account: 'github-actions@sigstore-root-signing.iam.gserviceaccount.com' + disable_snapshot: true + secrets: + token: ${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }} diff --git a/.github/workflows/staging-snapshot-timestamp.yml b/.github/workflows/staging-snapshot-timestamp.yml new file mode 100644 index 00000000..55509c54 --- /dev/null +++ b/.github/workflows/staging-snapshot-timestamp.yml @@ -0,0 +1,44 @@ +# +# Copyright 2021 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Staging Snapshot and Timestamp + +permissions: read-all + +on: + workflow_dispatch: + inputs: + branch: + description: 'The branch where the staged repository is, e.g. ceremony/2022-10-18' + required: true + type: string + +jobs: + run_snapshot_timestamp_publish: + permissions: + id-token: 'write' + issues: 'write' + pull-requests: 'write' + contents: 'write' + actions: 'read' + uses: sigstore/root-signing/.github/workflows/reuseable-snapshot-timestamp.yml@main + with: + snapshot_key: 'gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/snapshot' + timestamp_key: 'gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp' + branch: ${{ inputs.branch }} + provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' + service_account: 'github-actions@sigstore-root-signing.iam.gserviceaccount.com' + secrets: + token: ${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }} diff --git a/.github/workflows/sync-ceremony-to-main.yml b/.github/workflows/sync-ceremony-to-main.yml new file mode 100644 index 00000000..b239d860 --- /dev/null +++ b/.github/workflows/sync-ceremony-to-main.yml @@ -0,0 +1,74 @@ +# +# Copyright 2023 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This workflow is triggered when a ceremony branch is completed, +# creating a PR that merges the completed ceremony branch to main + +name: Sync Published Ceremony Branch to Main and Preprod + +# Declare default permissions as none. +permissions: {} + +on: + workflow_dispatch: + inputs: + branch: + description: 'The branch to sync to main, generally ceremony/YYYY-MM-DD' + required: true + type: string + push: + # When any published repository metadata is changed on a ceremony/** + # branch. + branches: + - ceremony/** + paths: + - 'repository/repository/**' + +jobs: + push: + if: (github.event_name == 'schedule' && github.repository == 'sigstore/root-signing') || (github.event_name != 'schedule') # Don't run workflow in forks on cron + permissions: + pull-requests: 'write' + contents: 'write' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 0 + ref: ${{ github.event.repository.default_branch }} + + - name: create pull request + uses: repo-sync/pull-request@7e79a9f5dc3ad0ce53138f01df2fad14a04831c5 # v2.12.1 + with: + github_token: ${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }} + # Use the input branch on workflow_dispatch, or the triggering branch on push to a ceremony/** branch. + source_branch: ${{ inputs.branch || github.ref_name }} + destination_branch: ${{ github.event.repository.default_branch }} + pr_title: "Merge ceremony branch ${{ inputs.branch || github.ref_name }} into ${{ github.event.repository.default_branch }}" + pr_body: "Merge ceremony branch to main" + pr_reviewer: bobcallaway,haydentherapper,joshuagl,kommendorkapten + + if-failed: + runs-on: ubuntu-latest + needs: [push] + permissions: + issues: 'write' + actions: 'read' + if: always() && needs.sync.result == 'failure' + steps: + - name: Open issue or add comment on failure + uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main + with: + comment_for_each_failure: true diff --git a/.github/workflows/sync-main-to-preprod-and-prod.yml b/.github/workflows/sync-main-to-preprod-and-prod.yml new file mode 100644 index 00000000..5b4c680c --- /dev/null +++ b/.github/workflows/sync-main-to-preprod-and-prod.yml @@ -0,0 +1,144 @@ +# +# Copyright 2021 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This sync will execute when any combination of the following files, +# and no other files, are changed on the main branch: +# - timestamp.json +# - snapshot.json +# - [0-9]+.snapshot.json +# Under this condition, all files from the repository/repository directory +# on the main branch will sync to both preprod and prod. + +name: Sync Repository Main Branch with both GCS Preprod and Prod Buckets + +on: + push: + branches: + - main + paths: + # When timestamp or snapshot files are changed. + # Note: the sync job below uses a diff to ensure ONLY these files are changed + # prior to syncing. + - 'repository/repository/timestamp.json' + - 'repository/repository/snapshot.json' + - 'repository/repository/[0-9]+.snapshot.json' + workflow_dispatch: + +jobs: + sync: + runs-on: ubuntu-latest + permissions: + id-token: 'write' + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 0 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: './go.mod' + check-latest: true + # Setup OIDC->SA auth + - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + id: auth + with: + token_format: 'access_token' + workload_identity_provider: 'projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' + service_account: 'tuf-gha@project-rekor.iam.gserviceaccount.com' + create_credentials_file: true + - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 + with: + project_id: project-rekor + - name: Login + run: | + gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" + gcloud auth list + - name: check-updated-files + id: check-updated-files + run: | + # Checks whether a filename matches timestamp.json, snapshot.json, or [0-9]+.snapshot.json. If not, + # this workflow will exit as we only want to run it when ONLY these files are changed. + # TODO it may be good to check whether the [0-9]+.snapshot.json is the next one chronologically + check_filename() { + if [[ $1 != "timestamp.json" && $1 != "snapshot.json" && !($1 =~ ^[0-9]+\.snapshot.json$) ]]; then + echo "Sync main to preprod and prod workflow: Files other than timestamp and snapshot were updated in main branch, including file: $1. Not syncing, exiting." + echo "abort=true" >> $GITHUB_OUTPUT + fi; + } + # Diff main and prod to determine whether ONLY the timestamp and snapshot files have changed in main. + # If other files have also changed, exit - in this case, the sync should be to preprod only. + # NOTE other non-timestamp/snapshot changes should only occur during a ceremony, and + # will go through the sync-ceremony-* flow that hits main and preprod. This means there should never + # be changed files in prod that have not also hit the main branch. + # NOTE We deliberately diff only with prod to avoid a scenario in which the ceremony branch's sync to + # main and preprod kicks off this workflow, in which case the lack of diff between main and preprod + # could trigger this workflow to auto sync to prod. + # + # TODO this does not check whether the updates are in main or in prod, only that files differ. We could + # make this more exact later to check that the updates are in main (anything else is unexpected). + diff -qr repository/repository sigstore-tuf-root | grep -Po '([0-9\.]*\w+[\.\w+]*(?= differ))|((Only in \w+\: )\K(.*))' | while read l; do check_filename $l; done + - name: sync + id: sync + if: ${{ steps.check-updated-files.outputs.abort != 'true' }} + run: | + check_expiration() { + expiry=$(jq -r '.signed.expires' $1) + expires=$(date -d $expiry +%s) + current=$(date +%s) + if (( expires < current )); then + echo "Detected expired metadata file $1 at $expiry!" + exit 1 + fi; + } + + # Download bucket metadata + gcloud --quiet storage cp -r gs://sigstore-tuf-root/ . + + # Upload all but TUF timestamp. Once timestamp is uploaded, all other files must have been uploaded. + for f in $(ls repository/repository/ -I *timestamp.json) + do + # Check for expiration if this is a non-versioned metadata file. + # Versioned metadata like 1.root.json may be expired. + # TODO(asraa): When consistent snapshots are enabled, this logic must be changed so that + # only old versioned metadata can be expired. + if [[ $f == [^0-9]*.json ]]; then + check_expiration repository/repository/$f + fi; + + gcloud --quiet storage cp --cache-control=no-store -r repository/repository/$f gs://sigstore-preprod-tuf-root/ + gcloud --quiet storage cp --cache-control=no-store -r repository/repository/$f gs://sigstore-tuf-root/ + done + + # Upload timestamp after checking latest timestamp expiration + check_expiration repository/repository/timestamp.json + gcloud --quiet storage cp --cache-control=no-store -r repository/repository/*timestamp.json gs://sigstore-preprod-tuf-root/ + gcloud --quiet storage cp --cache-control=no-store -r repository/repository/*timestamp.json gs://sigstore-tuf-root/ + + # NOTE as this workflow runs only when timestamp or snapshot files are added or updated, there should not + # be a scenario where files that are removed from main must be synced to (removed from) preprod/prod. + gcloud compute url-maps invalidate-cdn-cache tuf-preprod-repo-cdn-lb --path "/*" --async + gcloud compute url-maps invalidate-cdn-cache tuf-repo-cdn-lb --path "/*" --async + + if-failed: + runs-on: ubuntu-latest + needs: [sync] + permissions: + issues: 'write' + actions: 'read' + if: always() && needs.sync.result == 'failure' + steps: + - name: Open issue or add comment on failure + uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main + with: + comment_for_each_failure: true diff --git a/.github/workflows/sync-main-to-preprod.yml b/.github/workflows/sync-main-to-preprod.yml new file mode 100644 index 00000000..4c3be18e --- /dev/null +++ b/.github/workflows/sync-main-to-preprod.yml @@ -0,0 +1,109 @@ +# +# Copyright 2024 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This workflow is triggered a root signing completes and is merged +# into main, syncing the repository to the GCS preprod bucket + +name: Sync Published Root Signing to Preprod + +# Declare default permissions as none. +permissions: {} + +on: + workflow_dispatch: + push: + # When a root signing ceremony completes + branches: + - main + paths: + - 'repository/repository/root.json' + +jobs: + sync: + permissions: + id-token: 'write' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 0 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: './go.mod' + check-latest: true + # Setup OIDC->SA auth + - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + id: auth + with: + token_format: 'access_token' + workload_identity_provider: 'projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' + service_account: 'tuf-gha@project-rekor.iam.gserviceaccount.com' + create_credentials_file: true + - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 + with: + project_id: project-rekor + - name: Login + run: | + gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" + gcloud auth list + # sync + - name: sync + run: | + check_expiration() { + expiry=$(jq -r '.signed.expires' $1) + expires=$(date -d $expiry +%s) + current=$(date +%s) + if (( expires < current )); then + echo "Detected expired metadata file $1 at $expiry!" + exit 1 + fi; + } + # Upload all but TUF timestamp. Once timestamp is uploaded, all other files must have been uploaded. + for f in $(ls repository/repository/ -I *timestamp.json) + do + # Check for expiration if this is a non-versioned metadata file. + # Versioned metadata like 1.root.json may be expired. + # TODO(asraa): When consistent snapshots are enabled, this logic must be changed so that + # only old versioned metadata can be expired. + if [[ $f == [^0-9]*.json ]]; then + check_expiration repository/repository/$f + fi; + gcloud --quiet storage cp --cache-control=no-store -r repository/repository/$f gs://sigstore-preprod-tuf-root/ + done + # Upload timestamp after checking latest timestamp expiration + check_expiration repository/repository/timestamp.json + gcloud --quiet storage cp --cache-control=no-store -r repository/repository/*timestamp.json gs://sigstore-preprod-tuf-root/ + # delete any files present in sigstore-preprod-tuf-root not in repository/repository + gcloud --quiet storage cp -r gs://sigstore-preprod-tuf-root/ . + diff -qr repository/repository sigstore-preprod-tuf-root | while read l; do + if [[ $l =~ "Only in sigstore-preprod-tuf-root" ]]; then + path=$(python3 -c "import re; s='$l'; pattern=r'^Only in sigstore-preprod-tuf-root(\/?)(.*): (.*)$'; match=re.search(pattern, s); print('/'.join([match.group(2), match.group(3)]).lstrip('/'))") + gcloud --quiet storage rm gs://sigstore-preprod-tuf-root/$path + fi; + done + gcloud compute url-maps invalidate-cdn-cache tuf-preprod-repo-cdn-lb --path "/*" --async + + if-failed: + runs-on: ubuntu-latest + needs: [sync] + permissions: + issues: 'write' + actions: 'read' + if: always() && needs.sync.result == 'failure' + steps: + - name: Open issue or add comment on failure + uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main + with: + comment_for_each_failure: true diff --git a/.github/workflows/sync-preprod-to-prod.yml b/.github/workflows/sync-preprod-to-prod.yml new file mode 100644 index 00000000..5cfe94a0 --- /dev/null +++ b/.github/workflows/sync-preprod-to-prod.yml @@ -0,0 +1,79 @@ +# +# Copyright 2022 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Sync Preprod Repository with GCS Prod Bucket + +on: + workflow_dispatch: + +jobs: + sync: + if: (github.event_name == 'schedule' && github.repository == 'sigstore/root-signing') || (github.event_name != 'schedule') # Don't run workflow in forks on cron + runs-on: ubuntu-latest + permissions: + id-token: 'write' + steps: + # Setup OIDC->SA auth + - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + id: auth + with: + token_format: 'access_token' + workload_identity_provider: 'projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' + service_account: 'tuf-gha@project-rekor.iam.gserviceaccount.com' + create_credentials_file: true + - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 + with: + project_id: project-rekor + - name: login + run: | + gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" + gcloud auth list + + - name: sync + run: | + # download preprod bucket and copy over to production bucket + gcloud --quiet storage cp -r gs://sigstore-preprod-tuf-root/ . + + # upload all but TUF timestamp. Once timestamp is uploaded, all other files must have been uploaded. + for f in $(ls sigstore-preprod-tuf-root/ -I *timestamp.json) + do + gcloud --quiet storage cp --cache-control=no-store -r sigstore-preprod-tuf-root/$f gs://sigstore-tuf-root/ + done + # upload timestamp + gcloud --quiet storage cp --cache-control=no-store -r sigstore-preprod-tuf-root/*timestamp.json gs://sigstore-tuf-root/ + + # delete any files present in sigstore-tuf-root not in sigstore-preprod-tuf-root + gcloud --quiet storage cp -r gs://sigstore-tuf-root/ . + + diff -qr sigstore-preprod-tuf-root sigstore-tuf-root | while read l; do + if [[ $l =~ "Only in sigstore-tuf-root" ]]; then + path=$(python3 -c "import re; s='$l'; pattern=r'^Only in sigstore-tuf-root(\/?)(.*): (.*)$'; match=re.search(pattern, s); print('/'.join([match.group(2), match.group(3)]).lstrip('/'))") + gcloud --quiet storage rm gs://sigstore-tuf-root/$path + fi; + done + gcloud compute url-maps invalidate-cdn-cache tuf-repo-cdn-lb --path "/*" --async + + if-failed: + runs-on: ubuntu-latest + needs: [sync] + permissions: + issues: 'write' + actions: 'read' + if: always() && needs.sync.result == 'failure' + steps: + - name: Open issue or add comment on failure + uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main + with: + comment_for_each_failure: true diff --git a/.github/workflows/test-gcs.yml b/.github/workflows/test-gcs.yml index 93c2d9de..4c1d7a08 100644 --- a/.github/workflows/test-gcs.yml +++ b/.github/workflows/test-gcs.yml @@ -3,8 +3,9 @@ name: root-signing GCS repository tests on: workflow_call: workflow_dispatch: - schedule: - - cron: '17 4,10,16,22 * * *' + # disabled during migration + #schedule: + # - cron: '17 4,10,16,22 * * *' permissions: {} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5e4ed003..950da4ff 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -3,8 +3,9 @@ name: TUF-on-CI repository tests on: workflow_call: workflow_dispatch: - schedule: - - cron: '17 4,10,16,22 * * *' + # disabled during migration + #schedule: + # - cron: '17 4,10,16,22 * * *' permissions: {} diff --git a/.github/workflows/tuf_client_tests.yml b/.github/workflows/tuf_client_tests.yml new file mode 100644 index 00000000..88f1fc95 --- /dev/null +++ b/.github/workflows/tuf_client_tests.yml @@ -0,0 +1,100 @@ +# +# Copyright 2022 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: TUF Client tests + +on: + workflow_dispatch: + push: + paths: + - 'repository/**' + pull_request: + +jobs: + client: + runs-on: ubuntu-latest + steps: + # Set up a repository server with python + - uses: actions/setup-python@v5 + with: + python-version: '3.x' + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 2 + - run: | + cd repository/repository/ + python -m http.server 8001 & + echo "REPO=http://localhost:8001" >> $GITHUB_ENV + # Test with go-tuf client + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: './go.mod' + check-latest: true + - run: | + go install github.com/theupdateframework/go-tuf/cmd/tuf-client@v0.7.0 + - run: | + # Only 5.root.json is compatible with new versions of go-tuf + if [ -f repository/repository/5.root.json ]; then + tuf-client init http://localhost:8001 repository/repository/5.root.json + tuf-client list http://localhost:8001 + fi + # Verify with a go-tuf client that can understand deprecated keys + go run ./tests/client-tests init http://localhost:8001 repository/repository/1.root.json + go run ./tests/client-tests list http://localhost:8001 + # Test with rust client + - name: Configure cargo cache + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 + with: + path: | + /tmp/tuftool-target + ~/.cargo/registry/index/ + ~/.cargo/registry/cache/ + ~/.cargo/git/db/ + key: ${{ runner.os }}-cargo-tuftool + - name: Install tuftool + run: | + # use the latest version + cargo install tuftool \ + --target-dir /tmp/tuftool-target + - run: | + tuftool download out \ + --root repository/repository/2.root.json \ + -t http://localhost:8001/targets \ + -m http://localhost:8001 + # Test with python-tuf ngclient + - run: | + python3 -m pip install securesystemslib[crypto,pynacl] "tuf>=4.0.0" + python3 tests/client-tests/python-tuf.py + + jsclient: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup node + uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + with: + node-version: 20 + - name: Install tufjs/cli + run: npm install -g @tufjs/cli + - run: | + cd repository/repository/ + python -m http.server 8001 & + - name: Download and verify root + run: | + tuf download \ + --metadata-base-url http://localhost:8001 \ + --root repository/repository/5.root.json \ + --target-name trusted_root.json diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml new file mode 100644 index 00000000..e05144db --- /dev/null +++ b/.github/workflows/validate.yml @@ -0,0 +1,62 @@ +# +# Copyright 2021 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: CI Validate + +on: + push: + paths: + - 'ceremony/**' + - 'repository/**' + pull_request: + +jobs: + validate: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 2 + - run: | + echo "REPO=$(pwd)/repository" >> $GITHUB_ENV + echo "CDN_REPO=https://tuf-repo-cdn.sigstore.dev" >> $GITHUB_ENV + echo "CDN_PREPROD_REPO=https://tuf-preprod-repo-cdn.sigstore.dev" >> $GITHUB_ENV + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: './go.mod' + check-latest: true + - name: install deps + run: | + sudo apt-get install libpcsclite-dev + curl -fsO https://developers.yubico.com/PIV/Introduction/piv-attestation-ca.pem + - name: build + run: go build -o verify ./cmd/verify/ + - name: build + run: go build -o tuf -tags=pivkey ./cmd/tuf + - name: verify local published repository + run: ./verify repository --repository $REPO --root $(pwd)/ceremony/2021-06-18/repository/root.json + - name: verify CDN remote published repository + run: ./verify repository --repository $CDN_REPO --root $(pwd)/ceremony/2021-06-18/repository/root.json + - name: verify CDN preprod remote published repository + run: ./verify repository --repository $CDN_PREPROD_REPO --root $(pwd)/ceremony/2021-06-18/repository/root.json + - name: verify staged ceremony changes + run: | + set -euo pipefail + export CHANGED=$(git diff --name-only HEAD^ HEAD ceremony/20* | grep ".*staged.*" | head -1) + echo "$CHANGED" + if [ -n "$CHANGED" ]; then + export REPO=$(echo "$CHANGED" | cut -d/ -f 1-2) + ./verify repository --repository "$REPO" --staged true + fi diff --git a/metadata/registry.npmjs.org.json b/metadata/registry.npmjs.org.json index 3cbdcb3b..95385760 100755 --- a/metadata/registry.npmjs.org.json +++ b/metadata/registry.npmjs.org.json @@ -1,13 +1,17 @@ { "signatures": [ { - "keyid": "5e3a4021b11a425fd0a444f1670457ce5b15bbe036144f2417426f7f4b9721da", - "sig": "3046022100a2137aaf3a0dbde3e858b5507cc60596379c859f37b4a4b60e7175497d862e9d022100b4feabf83b0b90973256f0c3dfab9d1ca8eedce2cf04a5f03cb06944604c8229" + "keyid": "3b60e337a003f0465d881e34051b1350f0041b931bd68d95ce2066c81d36de1b", + "sig": "3046022100af26e7c415a1d724ace269d9498a83daadde0b55f155a4c95b431764bab85b7b02210091f5ae0acfe832cd71ba8249d784208ea265f7d103f6a0c92f75aeb939b9be33" + }, + { + "keyid": "a89d235ee2f298d757438c7473b11b0b7b42ff1a45f1dfaac4c014183d6f8c45", + "sig": "3046022100af26e7c415a1d724ace269d9498a83daadde0b55f155a4c95b431764bab85b7b02210091f5ae0acfe832cd71ba8249d784208ea265f7d103f6a0c92f75aeb939b9be33" } ], "signed": { "_type": "targets", - "expires": "2025-02-19T07:59:33Z", + "expires": "2024-09-12T06:13:15Z", "spec_version": "1.0", "targets": { "registry.npmjs.org/keys.json": { @@ -18,8 +22,6 @@ "length": 1017 } }, - "version": 4, - "x-tuf-on-ci-expiry-period": 182, - "x-tuf-on-ci-signing-period": 31 + "version": 3 } } \ No newline at end of file diff --git a/metadata/root.json b/metadata/root.json index 3f18ee74..7cca2eb1 100755 --- a/metadata/root.json +++ b/metadata/root.json @@ -1,52 +1,52 @@ { "signatures": [ { - "keyid": "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", - "sig": "30460221008ab1f6f17d4f9e6d7dcf1c88912b6b53cc10388644ae1f09bc37a082cd06003e022100e145ef4c7b782d4e8107b53437e669d0476892ce999903ae33d14448366996e7" + "keyid": "ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c", + "sig": "30450221008b78f894c3cfed3bd486379c4e0e0dfb3e7dd8cbc4d5598d2818eea1ba3c7550022029d3d06e89d04d37849985dc46c0e10dc5b1fc68dc70af1ec9910303a1f3ee2f" }, { - "keyid": "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", - "sig": "3045022100c768b2f86da99569019c160a081da54ae36c34c0a3120d3cb69b53b7d113758e02204f671518f617b20d46537fae6c3b63bae8913f4f1962156105cc4f019ac35c6a" + "keyid": "25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99", + "sig": "30450221009e6b90b935e09b837a90d4402eaa27d5ea26eb7891948ba0ed7090841248f436022003dc2251c4d4a7999b91e9ad0868765ae09ac7269279f2a7899bafef7a2d9260" }, { - "keyid": "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", - "sig": "3045022100b4434e6995d368d23e74759acd0cb9013c83a5d3511f0f997ec54c456ae4350a022015b0e265d182d2b61dc74e155d98b3c3fbe564ba05286aa14c8df02c9b756516" + "keyid": "f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f", + "sig": "30440220099e907dcf90b7b6e109fd1d6e442006fccbb48894aaaff47ab824b03fb35d0d02202aa0a06c21a4233f37900a48bc8777d3b47f59e3a38616ce631a04df57f96736" }, { - "keyid": "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", - "sig": "304502210082c58411d989eb9f861410857d42381590ec9424dbdaa51e78ed13515431904e0220118185da6a6c2947131c17797e2bb7620ce26e5f301d1ceac5f2a7e58f9dcf2e" + "keyid": "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e", + "sig": "30450221008b78f894c3cfed3bd486379c4e0e0dfb3e7dd8cbc4d5598d2818eea1ba3c7550022029d3d06e89d04d37849985dc46c0e10dc5b1fc68dc70af1ec9910303a1f3ee2f" }, { - "keyid": "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70", - "sig": "3046022100c78513854cae9c32eaa6b88e18912f48006c2757a258f917312caba75948eb9e022100d9e1b4ce0adfe9fd2e2148d7fa27a2f40ba1122bd69da7612d8d1776b013c91d" + "keyid": "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e", + "sig": "30450221009e6b90b935e09b837a90d4402eaa27d5ea26eb7891948ba0ed7090841248f436022003dc2251c4d4a7999b91e9ad0868765ae09ac7269279f2a7899bafef7a2d9260" }, { - "keyid": "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f", - "sig": "3045022056483a2d5d9ea9cec6e11eadfb33c484b614298faca15acf1c431b11ed7f734c022100d0c1d726af92a87e4e66459ca5adf38a05b44e1f94318423f954bae8bca5bb2e" + "keyid": "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523", + "sig": "304502200e5613b901e0f3e08eceabddc73f98b50ddf892e998d0b369c6e3d451ac48875022100940cf92d1f43ee2e5cdbb22572bb52925ed3863a688f7ffdd4bd2e2e56f028b3" }, { - "keyid": "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523", - "sig": "3046022100d004de88024c32dc5653a9f4843cfc5215427048ad9600d2cf9c969e6edff3d2022100d9ebb798f5fc66af10899dece014a8628ccf3c5402cd4a4270207472f8f6e712" + "keyid": "2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de", + "sig": "304502202cff44f2215d7a47b28b8f5f580c2cfbbd1bfcfcbbe78de323045b2c0badc5e9022100c743949eb3f4ea5a4b9ae27ac6eddea1f0ff9bfd004f8a9a9d18c6e4142b6e75" }, { - "keyid": "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e", - "sig": "3046022100b7b09996c45ca2d4b05603e56baefa29718a0b71147cf8c6e66349baa61477df022100c4da80c717b4fa7bba0fd5c72da8a0499358b01358b2309f41d1456ea1e7e1d9" + "keyid": "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849", + "sig": "30440220099e907dcf90b7b6e109fd1d6e442006fccbb48894aaaff47ab824b03fb35d0d02202aa0a06c21a4233f37900a48bc8777d3b47f59e3a38616ce631a04df57f96736" }, { - "keyid": "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e", - "sig": "3046022100be9782c30744e411a82fa85b5138d601ce148bc19258aec64e7ec24478f38812022100caef63dcaf1a4b9a500d3bd0e3f164ec18f1b63d7a9460d9acab1066db0f016d" + "keyid": "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f", + "sig": "304502202cff44f2215d7a47b28b8f5f580c2cfbbd1bfcfcbbe78de323045b2c0badc5e9022100c743949eb3f4ea5a4b9ae27ac6eddea1f0ff9bfd004f8a9a9d18c6e4142b6e75" }, { - "keyid": "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849", - "sig": "30450220746ec3f8534ce55531d0d01ff64964ef440d1e7d2c4c142409b8e9769f1ada6f022100e3b929fcd93ea18feaa0825887a7210489879a66780c07a83f4bd46e2f09ab3b" + "keyid": "7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b", + "sig": "304502200e5613b901e0f3e08eceabddc73f98b50ddf892e998d0b369c6e3d451ac48875022100940cf92d1f43ee2e5cdbb22572bb52925ed3863a688f7ffdd4bd2e2e56f028b3" } ], "signed": { "_type": "root", "consistent_snapshot": true, - "expires": "2025-02-19T08:04:32Z", + "expires": "2024-09-12T06:53:10Z", "keys": { - "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06": { + "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849": { "keyid_hash_algorithms": [ "sha256", "sha512" @@ -55,22 +55,20 @@ "keyval": { "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzBzVOmHCPojMVLSI364WiiV8NPrD\n6IgRxVliskz/v+y3JER5mcVGcONliDcWMC5J2lfHmjPNPhb4H7xm8LzfSA==\n-----END PUBLIC KEY-----\n" }, - "scheme": "ecdsa-sha2-nistp256", - "x-tuf-on-ci-keyowner": "@santiagotorres" + "scheme": "ecdsa-sha2-nistp256" }, - "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222": { + "230e212616274a4195cdc28e9fce782c20e6c720f1a811b40f98228376bdd3ac": { "keyid_hash_algorithms": [ "sha256", "sha512" ], "keytype": "ecdsa", "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEinikSsAQmYkNeH5eYq/CnIzLaacO\nxlSaawQDOwqKy/tCqxq5xxPSJc21K4WIhs9GyOkKfzueY3GILzcMJZ4cWw==\n-----END PUBLIC KEY-----\n" + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELrWvNt94v4R085ELeeCMxHp7PldF\n0/T1GxukUh2ODuggLGJE0pc1e8CSBf6CS91Fwo9FUOuRsjBUld+VqSyCdQ==\n-----END PUBLIC KEY-----\n" }, - "scheme": "ecdsa-sha2-nistp256", - "x-tuf-on-ci-keyowner": "@bobcallaway" + "scheme": "ecdsa-sha2-nistp256" }, - "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3": { + "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e": { "keyid_hash_algorithms": [ "sha256", "sha512" @@ -79,10 +77,9 @@ "keyval": { "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEy8XKsmhBYDI8Jc0GwzBxeKax0cm5\nSTKEU65HPFunUn41sT8pi0FjM4IkHz/YUmwmLUO0Wt7lxhj6BkLIK4qYAw==\n-----END PUBLIC KEY-----\n" }, - "scheme": "ecdsa-sha2-nistp256", - "x-tuf-on-ci-keyowner": "@dlorenc" + "scheme": "ecdsa-sha2-nistp256" }, - "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c": { + "923bb39e60dd6fa2c31e6ea55473aa93b64dd4e53e16fbe42f6a207d3f97de2d": { "keyid_hash_algorithms": [ "sha256", "sha512" @@ -91,22 +88,20 @@ "keyval": { "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWRiGr5+j+3J5SsH+Ztr5nE2H2wO7\nBV+nO3s93gLca18qTOzHY1oWyAGDykMSsGTUBSt9D+An0KfKsD2mfSM42Q==\n-----END PUBLIC KEY-----\n" }, - "scheme": "ecdsa-sha2-nistp256", - "x-tuf-on-ci-online-uri": "gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp" + "scheme": "ecdsa-sha2-nistp256" }, - "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70": { + "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523": { "keyid_hash_algorithms": [ "sha256", "sha512" ], "keytype": "ecdsa", "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0ghrh92Lw1Yr3idGV5WqCtMDB8Cx\n+D8hdC4w2ZLNIplVRoVGLskYa3gheMyOjiJ8kPi15aQ2//7P+oj7UvJPGw==\n-----END PUBLIC KEY-----\n" + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEinikSsAQmYkNeH5eYq/CnIzLaacO\nxlSaawQDOwqKy/tCqxq5xxPSJc21K4WIhs9GyOkKfzueY3GILzcMJZ4cWw==\n-----END PUBLIC KEY-----\n" }, - "scheme": "ecdsa-sha2-nistp256", - "x-tuf-on-ci-keyowner": "@joshuagl" + "scheme": "ecdsa-sha2-nistp256" }, - "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2": { + "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e": { "keyid_hash_algorithms": [ "sha256", "sha512" @@ -115,51 +110,55 @@ "keyval": { "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEXsz3SZXFb8jMV42j6pJlyjbjR8K\nN3Bwocexq6LMIb5qsWKOQvLN16NUefLc4HswOoumRsVVaajSpQS6fobkRw==\n-----END PUBLIC KEY-----\n" }, - "scheme": "ecdsa-sha2-nistp256", - "x-tuf-on-ci-keyowner": "@mnm678" + "scheme": "ecdsa-sha2-nistp256" + }, + "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f": { + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0ghrh92Lw1Yr3idGV5WqCtMDB8Cx\n+D8hdC4w2ZLNIplVRoVGLskYa3gheMyOjiJ8kPi15aQ2//7P+oj7UvJPGw==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256" } }, "roles": { "root": { "keyids": [ - "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", - "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", - "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", - "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", - "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70" + "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e", + "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e", + "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849", + "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523", + "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f" ], "threshold": 3 }, "snapshot": { "keyids": [ - "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c" + "230e212616274a4195cdc28e9fce782c20e6c720f1a811b40f98228376bdd3ac" ], - "threshold": 1, - "x-tuf-on-ci-expiry-period": 3650, - "x-tuf-on-ci-signing-period": 365 + "threshold": 1 }, "targets": { "keyids": [ - "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", - "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", - "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", - "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", - "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70" + "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e", + "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e", + "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849", + "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523", + "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f" ], "threshold": 3 }, "timestamp": { "keyids": [ - "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c" + "923bb39e60dd6fa2c31e6ea55473aa93b64dd4e53e16fbe42f6a207d3f97de2d" ], - "threshold": 1, - "x-tuf-on-ci-expiry-period": 7, - "x-tuf-on-ci-signing-period": 4 + "threshold": 1 } }, "spec_version": "1.0", - "version": 10, - "x-tuf-on-ci-expiry-period": 182, - "x-tuf-on-ci-signing-period": 31 + "version": 9 } } \ No newline at end of file diff --git a/metadata/root_history/10.root.json b/metadata/root_history/10.root.json deleted file mode 100644 index 3f18ee74..00000000 --- a/metadata/root_history/10.root.json +++ /dev/null @@ -1,165 +0,0 @@ -{ - "signatures": [ - { - "keyid": "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", - "sig": "30460221008ab1f6f17d4f9e6d7dcf1c88912b6b53cc10388644ae1f09bc37a082cd06003e022100e145ef4c7b782d4e8107b53437e669d0476892ce999903ae33d14448366996e7" - }, - { - "keyid": "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", - "sig": "3045022100c768b2f86da99569019c160a081da54ae36c34c0a3120d3cb69b53b7d113758e02204f671518f617b20d46537fae6c3b63bae8913f4f1962156105cc4f019ac35c6a" - }, - { - "keyid": "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", - "sig": "3045022100b4434e6995d368d23e74759acd0cb9013c83a5d3511f0f997ec54c456ae4350a022015b0e265d182d2b61dc74e155d98b3c3fbe564ba05286aa14c8df02c9b756516" - }, - { - "keyid": "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", - "sig": "304502210082c58411d989eb9f861410857d42381590ec9424dbdaa51e78ed13515431904e0220118185da6a6c2947131c17797e2bb7620ce26e5f301d1ceac5f2a7e58f9dcf2e" - }, - { - "keyid": "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70", - "sig": "3046022100c78513854cae9c32eaa6b88e18912f48006c2757a258f917312caba75948eb9e022100d9e1b4ce0adfe9fd2e2148d7fa27a2f40ba1122bd69da7612d8d1776b013c91d" - }, - { - "keyid": "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f", - "sig": "3045022056483a2d5d9ea9cec6e11eadfb33c484b614298faca15acf1c431b11ed7f734c022100d0c1d726af92a87e4e66459ca5adf38a05b44e1f94318423f954bae8bca5bb2e" - }, - { - "keyid": "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523", - "sig": "3046022100d004de88024c32dc5653a9f4843cfc5215427048ad9600d2cf9c969e6edff3d2022100d9ebb798f5fc66af10899dece014a8628ccf3c5402cd4a4270207472f8f6e712" - }, - { - "keyid": "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e", - "sig": "3046022100b7b09996c45ca2d4b05603e56baefa29718a0b71147cf8c6e66349baa61477df022100c4da80c717b4fa7bba0fd5c72da8a0499358b01358b2309f41d1456ea1e7e1d9" - }, - { - "keyid": "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e", - "sig": "3046022100be9782c30744e411a82fa85b5138d601ce148bc19258aec64e7ec24478f38812022100caef63dcaf1a4b9a500d3bd0e3f164ec18f1b63d7a9460d9acab1066db0f016d" - }, - { - "keyid": "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849", - "sig": "30450220746ec3f8534ce55531d0d01ff64964ef440d1e7d2c4c142409b8e9769f1ada6f022100e3b929fcd93ea18feaa0825887a7210489879a66780c07a83f4bd46e2f09ab3b" - } - ], - "signed": { - "_type": "root", - "consistent_snapshot": true, - "expires": "2025-02-19T08:04:32Z", - "keys": { - "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa", - "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzBzVOmHCPojMVLSI364WiiV8NPrD\n6IgRxVliskz/v+y3JER5mcVGcONliDcWMC5J2lfHmjPNPhb4H7xm8LzfSA==\n-----END PUBLIC KEY-----\n" - }, - "scheme": "ecdsa-sha2-nistp256", - "x-tuf-on-ci-keyowner": "@santiagotorres" - }, - "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa", - "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEinikSsAQmYkNeH5eYq/CnIzLaacO\nxlSaawQDOwqKy/tCqxq5xxPSJc21K4WIhs9GyOkKfzueY3GILzcMJZ4cWw==\n-----END PUBLIC KEY-----\n" - }, - "scheme": "ecdsa-sha2-nistp256", - "x-tuf-on-ci-keyowner": "@bobcallaway" - }, - "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa", - "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEy8XKsmhBYDI8Jc0GwzBxeKax0cm5\nSTKEU65HPFunUn41sT8pi0FjM4IkHz/YUmwmLUO0Wt7lxhj6BkLIK4qYAw==\n-----END PUBLIC KEY-----\n" - }, - "scheme": "ecdsa-sha2-nistp256", - "x-tuf-on-ci-keyowner": "@dlorenc" - }, - "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa", - "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWRiGr5+j+3J5SsH+Ztr5nE2H2wO7\nBV+nO3s93gLca18qTOzHY1oWyAGDykMSsGTUBSt9D+An0KfKsD2mfSM42Q==\n-----END PUBLIC KEY-----\n" - }, - "scheme": "ecdsa-sha2-nistp256", - "x-tuf-on-ci-online-uri": "gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp" - }, - "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa", - "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0ghrh92Lw1Yr3idGV5WqCtMDB8Cx\n+D8hdC4w2ZLNIplVRoVGLskYa3gheMyOjiJ8kPi15aQ2//7P+oj7UvJPGw==\n-----END PUBLIC KEY-----\n" - }, - "scheme": "ecdsa-sha2-nistp256", - "x-tuf-on-ci-keyowner": "@joshuagl" - }, - "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa", - "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEXsz3SZXFb8jMV42j6pJlyjbjR8K\nN3Bwocexq6LMIb5qsWKOQvLN16NUefLc4HswOoumRsVVaajSpQS6fobkRw==\n-----END PUBLIC KEY-----\n" - }, - "scheme": "ecdsa-sha2-nistp256", - "x-tuf-on-ci-keyowner": "@mnm678" - } - }, - "roles": { - "root": { - "keyids": [ - "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", - "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", - "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", - "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", - "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70" - ], - "threshold": 3 - }, - "snapshot": { - "keyids": [ - "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c" - ], - "threshold": 1, - "x-tuf-on-ci-expiry-period": 3650, - "x-tuf-on-ci-signing-period": 365 - }, - "targets": { - "keyids": [ - "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", - "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", - "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", - "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", - "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70" - ], - "threshold": 3 - }, - "timestamp": { - "keyids": [ - "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c" - ], - "threshold": 1, - "x-tuf-on-ci-expiry-period": 7, - "x-tuf-on-ci-signing-period": 4 - } - }, - "spec_version": "1.0", - "version": 10, - "x-tuf-on-ci-expiry-period": 182, - "x-tuf-on-ci-signing-period": 31 - } -} \ No newline at end of file diff --git a/metadata/targets.json b/metadata/targets.json index e5993f84..8e88fdc3 100755 --- a/metadata/targets.json +++ b/metadata/targets.json @@ -1,43 +1,46 @@ { "signatures": [ { - "keyid": "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", - "sig": "3045022100cffdd70aff94fab0127ac749c64449d5f644c7195971bfdca57879d5f645ab960220129ed6aeb07a57d9554af28941543bbb58f28c4c60d28a819f2294d290ff6cd9" + "keyid": "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e", + "sig": "30440220764f1edad367a55d340eb7a97c0c8f847c47fa3fd05cadf3e246ee8ced7e504002200ebe44b01d6f59a348041c3845dda0980754893ddc1a9c8bfaa98e6b1f0b4627" }, { - "keyid": "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", - "sig": "30450220208c663d230a0ebb3a2b964020d019394112e216d4964c743ad2e61cebc43b52022100c2964f3fa7e77cd3abe13640d91b53d1a294470b65211a42f3f7764064c28ce4" + "keyid": "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e", + "sig": "304502202d4955e47ab4a6ba6aaaa372bf50084e3cea0149da09f28807285fa306af38ae022100947cb4f41332f3f3215b78ccb897177e122f3de7e682ac19f8f3c835bbdc75f4" }, { - "keyid": "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", - "sig": "304502210093afa3a6d28f67f6aace8c6c5258282ec0784ce82da93589e2870b522c1b685502205374c8871e12e07f856f83e780b626dd5a00a032285d4436f615cdb9d637c3c3" + "keyid": "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849", + "sig": "3045022015062f271a9cab84d5ffdbf878a42a4fc0754c1fa91822e38242af3546eaada8022100f0d766d4aca8ba675cf0b715104b765f81b4772cb53915db253fc437980e9e76" }, { - "keyid": "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", - "sig": "3044022006b5eae637d0b66f4f72759f86e86840f6a9a580b3baf7303a046d8fac1c0872022053c1b8a6fbce7e37a7e46501019a160f4d833efb48e7ca5bd274df54b2bbce3f" + "keyid": "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523", + "sig": "3045022100cccbbbfa8a87a648f6cd18f881b6643bb2fcb5f812678af5f1ed676e574eae3902200faaf1083c5bc95471ba6d1c7da1d7fcbabfaa32cdc27c215ef9b58b4c3d41c0" }, { - "keyid": "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70", - "sig": "304502203d51eac2b34f6f06178e86e484d192f7a40b53df47e2ba0540d2e5a397d1e92b0221009833e3bb41c3bd28bc1adc06a74e5e7c73a6c9d9a1648ab558cfbdd380a2c4e2" + "keyid": "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f", + "sig": "304402203161c4a74acc63ea50af6f78e32248366bad10d823fe38ca190780ca70cf1124022051dd0734f33253304a814e10e0387a82770ee6905ace85c03b645df1109a6b38" } ], "signed": { "_type": "targets", "delegations": { "keys": { - "5e3a4021b11a425fd0a444f1670457ce5b15bbe036144f2417426f7f4b9721da": { + "3b60e337a003f0465d881e34051b1350f0041b931bd68d95ce2066c81d36de1b": { + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], "keytype": "ecdsa", "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVfei1dXQRVeArCMcTDgxJtYg+Fs7\nV87DjhQbGlRJPyC7SW5TbNNkmvpmi4LeTv6moLVZ7T2nVqiRZbSkD+cf8w==\n-----END PUBLIC KEY-----\n" + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoLrh0jmOfHWLwsyo/4oGbldF91WV\nfXvxVlDhW8fZwP/3vTnliBkDp5sH8/Dpm1SBOHkqENVt1+4Un/sFtl2zAQ==\n-----END PUBLIC KEY-----\n" }, - "scheme": "ecdsa-sha2-nistp256", - "x-tuf-on-ci-online-uri": "azurekms://npm-tuf-delegate.vault.azure.net/keys/npm-tuf-delegate-2024-08/e2772c1d01ca400da571096889f1660e" + "scheme": "ecdsa-sha2-nistp256" } }, "roles": [ { "keyids": [ - "5e3a4021b11a425fd0a444f1670457ce5b15bbe036144f2417426f7f4b9721da" + "3b60e337a003f0465d881e34051b1350f0041b931bd68d95ce2066c81d36de1b" ], "name": "registry.npmjs.org", "paths": [ @@ -48,7 +51,7 @@ } ] }, - "expires": "2034-08-24T07:16:33Z", + "expires": "2024-09-12T06:13:15Z", "spec_version": "1.0", "targets": { "artifact.pub": { @@ -156,8 +159,6 @@ "length": 7014 } }, - "version": 10, - "x-tuf-on-ci-expiry-period": 3650, - "x-tuf-on-ci-signing-period": 31 + "version": 9 } } \ No newline at end of file