diff --git a/.github/workflows/cosign-test.yml b/.github/workflows/cosign-test.yml deleted file mode 100644 index fe792b58..00000000 --- a/.github/workflows/cosign-test.yml +++ /dev/null @@ -1,48 +0,0 @@ -# -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Cosign tests - -on: - workflow_dispatch: - push: - paths: - - 'repository/**' - pull_request: - -jobs: - validate: - env: - COSIGN_EXPERIMENTAL: "true" - runs-on: ubuntu-latest - steps: - # Install cosign - - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - - # Set up a repository server with python - - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 - with: - python-version: '3.x' - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 2 - - run: | - cd repository/repository/ - python -m http.server 8001 & - echo "REPO=http://localhost:8001" >> $GITHUB_ENV - - # Test cosign initialize - - name: cosign initialize on published repository - run: cosign initialize --mirror http://localhost:8001 diff --git a/.github/workflows/create-signing-events.yml b/.github/workflows/create-signing-events.yml index 6dfce059..592ba2ec 100644 --- a/.github/workflows/create-signing-events.yml +++ b/.github/workflows/create-signing-events.yml @@ -1,9 +1,8 @@ name: TUF-on-CI create Signing events on: - # disabled during migration - #schedule: - # - cron: '17 1,7,13,19 * * *' + schedule: + - cron: '17 1,7,13,19 * * *' workflow_dispatch: permissions: {} @@ -16,7 +15,7 @@ jobs: actions: 'write' # for dispatching signing event workflow steps: - name: Create signing events for offline version bumps - uses: theupdateframework/tuf-on-ci/actions/create-signing-events@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/create-signing-events@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} @@ -28,7 +27,7 @@ jobs: issues: 'write' # for modifying Issues steps: - name: Update the issue for the workflow - uses: theupdateframework/tuf-on-ci/actions/update-issue@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/update-issue@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} success: ${{ !contains(needs.*.result, 'failure') }} diff --git a/.github/workflows/delegation-pop-verify.yml b/.github/workflows/delegation-pop-verify.yml deleted file mode 100644 index 50a43bb4..00000000 --- a/.github/workflows/delegation-pop-verify.yml +++ /dev/null @@ -1,54 +0,0 @@ -# -# Copyright 2023 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Verify POP for a delegation - -on: - pull_request: - branches: - - 'ceremony/**' - - 'test-ceremony/**' - - 'test-delegation/**' - -jobs: - verify: - if: ${{ startsWith(github.event.pull_request.title, 'feat/add-delegation for ') }} - runs-on: ubuntu-latest - permissions: - contents: 'write' - pull-requests: 'read' - env: - GITHUB_TOKEN: ${{ secrets.SIGSTORE_REVIEW_BOT_FINE_GRAINED_PAT }} - PR_NUMBER: ${{ github.event.pull_request.number }} - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - - name: Setup go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - - - name: Install deps - run: sudo apt-get install libpcsclite-dev - - - name: build - run: make tuf - - - name: Verify POP - run: .github/workflows/scripts/dpop-wrapper.sh "${{ github.event.pull_request.title }}" diff --git a/.github/workflows/initialize.yml b/.github/workflows/initialize.yml deleted file mode 100644 index 2280d1a6..00000000 --- a/.github/workflows/initialize.yml +++ /dev/null @@ -1,161 +0,0 @@ -# -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Stage a new root and targets on a new branch - -permissions: read-all - -# Execute this ONLY as workflow dispatch. -on: - workflow_dispatch: - inputs: - branch: - description: 'The branch to stage changes against, generally ceremony/YYYY-MM-DD' - required: true - type: string - revoke_key: - description: 'If provided, revokes the given HSM key, identified by the serial number' - required: false - type: string - repo: - description: 'The repository in which to stage a new root and targets' - required: false - default: repository - type: string - draft: - description: 'Use for testing; creates a draft pull request' - required: false - default: false - type: boolean - -jobs: - check_branch: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - name: Check if remote branch exists - env: - BRANCH: ${{ inputs.branch }} - run: | - branch_exists=$(git ls-remote --heads origin ${BRANCH}) - - if [[ -z ${branch_exists} ]]; then - echo "Staging root branch ${BRANCH} does not exist: has a maintainer created one?" - exit 1 - fi - - init_root: - runs-on: ubuntu-latest - needs: check_branch - permissions: - id-token: 'write' - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - # TODO(https://github.com/sigstore/root-signing/issues/98): Use a common configuration checked into source control - - name: setup environment - run: | - echo "GITHUB_USER=${{ github.actor }}" >> $GITHUB_ENV - echo "SNAPSHOT_KEY=gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/snapshot" >> $GITHUB_ENV - echo "TIMESTAMP_KEY=gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp" >> $GITHUB_ENV - echo "REPO=${{ inputs.repo }}" >> $GITHUB_ENV - echo "BRANCH=${{ inputs.branch }}" >> $GITHUB_ENV - # Note: we set LOCAL=1 because we manually push the changes in the next job. - echo "LOCAL=1" >> $GITHUB_ENV - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - # Setup OIDC->SA auth for signing with KMS - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 - id: auth - with: - token_format: 'access_token' - workload_identity_provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' - service_account: 'github-actions@sigstore-root-signing.iam.gserviceaccount.com' - create_credentials_file: true - - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - project_id: sigstore-root-signing - - name: Login - run: | - gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" - gcloud auth list - - # Initialize the new root and targets layout - - name: step 0 - # Note that we are already in a git repository and are manually pushing changes with the job below - # so we can simply build the TUF binary and bypass git setup in step 0. - run: | - sudo apt-get install libpcsclite-dev - go build -o tuf -tags=pivkey ./cmd/tuf - - name: step 1.5 - run: | - ./scripts/step-1.5.sh ${{ inputs.revoke_key }} - - name: Upload new repository - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 - with: - name: ${{ inputs.repo }} - path: ${{ inputs.repo }} - retention-days: 5 - - push: - needs: init_root - runs-on: ubuntu-latest - permissions: - pull-requests: 'write' - contents: 'write' - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.branch }} - fetch-depth: 0 - - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: ${{ inputs.repo }} - path: ${{ inputs.repo }} - # Detect new version and expiration to add to the PR description. - - name: Detect new version - env: - REPO: ${{ inputs.repo }} - run: | - # Detects the new root version. - VERSION=$(cat ${REPO}/staged/root.json | jq -r '.signed.version') - echo "VERSION=$VERSION" >> $GITHUB_ENV - - # Create commits - - name: Create commits - env: - REPO: ${{ inputs.repo }} - run: | - # Set identity. - git config --global user.email "noreply@github.com" - git config --global user.name "GitHub" - - git checkout -b init-root-targets - # Commit the REPO changes - git add ${REPO} - git commit -s -m "Add staged repository metadata" - git push origin HEAD - - # Open pull request changes. Use the fine-grained PAT in order to trigger presubmits. - - name: create pull request - env: - DRAFT: ${{ inputs.draft && '-d' || '' }} - run: - GH_TOKEN=${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }} gh pr create -B ${{ inputs.branch }} -H init-root-targets -t "Update Root and Targets to version ${{ env.VERSION }}" -b "Initializes a new root and targets to version ${{ env.VERSION }}" ${DRAFT} -r bobcallaway -r haydentherapper -r kommendorkapten diff --git a/.github/workflows/ci-test.yml b/.github/workflows/lint.yml similarity index 50% rename from .github/workflows/ci-test.yml rename to .github/workflows/lint.yml index 46e5e7eb..ef563fbd 100644 --- a/.github/workflows/ci-test.yml +++ b/.github/workflows/lint.yml @@ -13,31 +13,13 @@ # See the License for the specific language governing permissions and # limitations under the License. -name: CI Test +name: Lint on: push: - paths-ignore: - - 'ceremony/**' pull_request: - paths-ignore: - - 'ceremony/**' jobs: - golangci: - name: lint - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - - name: golangci-lint - uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 - with: - version: v1.59 - yamllint: runs-on: ubuntu-latest steps: @@ -65,40 +47,6 @@ jobs: with: actionlint_flags: -color -shellcheck= - test: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - - name: install deps - run: | - sudo apt-get install libpcsclite-dev - - name: Test - run: go test -tags=pivkey -v ./... - - name: Ensure no files were modified as a result of the build - run: git update-index --refresh && git diff-index --quiet HEAD -- || git diff --exit-code - - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - - name: install deps - run: | - sudo apt-get install libpcsclite-dev - - name: build verification - run: go build -o verify ./cmd/verify/ - - name: build TUF script - run: go build -o tuf -tags=pivkey ./cmd/tuf - - name: build test script - run: go build -o keygen -tags=pivkey ./tests/keygen - shellcheck: name: Shellcheck runs-on: ubuntu-latest diff --git a/.github/workflows/online-sign.yml b/.github/workflows/online-sign.yml index 92d1c1f2..afbf4a73 100644 --- a/.github/workflows/online-sign.yml +++ b/.github/workflows/online-sign.yml @@ -3,12 +3,11 @@ name: TUF-on-CI online signing permissions: {} on: - # disabled during migration - #schedule: - # - cron: '17 1,7,13,19 * * *' - #push: - # branches: [ main ] - # paths: ['metadata/**', '!metadata/timestamp.json', '!metadata/snapshot.json'] + schedule: + - cron: '17 1,7,13,19 * * *' + push: + branches: [main] + paths: ['metadata/**', '!metadata/timestamp.json', '!metadata/snapshot.json'] workflow_dispatch: jobs: @@ -20,7 +19,7 @@ jobs: actions: 'write' # for dispatching publish workflow steps: - id: online-sign - uses: theupdateframework/tuf-on-ci/actions/online-sign@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/online-sign@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} gcp_workload_identity_provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' @@ -35,7 +34,7 @@ jobs: issues: 'write' # for modifying Issues steps: - name: Update the issue for the workflow - uses: theupdateframework/tuf-on-ci/actions/update-issue@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/update-issue@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} success: ${{ !contains(needs.*.result, 'failure') }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f46eeded..1d8ff9f4 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - id: build-and-upload-repository - uses: theupdateframework/tuf-on-ci/actions/upload-repository@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/upload-repository@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: gh_pages: true ref: ${{ inputs.ref }} @@ -67,7 +67,7 @@ jobs: issues: 'write' # for modifying Issues steps: - name: Update the issue for the workflow - uses: theupdateframework/tuf-on-ci/actions/update-issue@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/update-issue@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} success: ${{ !contains(needs.*.result, 'failure') }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index 834d1b17..00000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,86 +0,0 @@ -# -# Copyright 2023 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: cut-release - -on: - push: - tags: - - "v*" - -# Note: read permissions are set globally. -jobs: - release: - runs-on: ubuntu-latest - permissions: - actions: read # To read the workflow path. - id-token: write # To sign the provenance. - contents: write # To add assets to a release. - outputs: - hashes: ${{ steps.hash.outputs.hashes }} - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - - - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - - uses: anchore/sbom-action/download-syft@ab9d16d4b419c9d1a02df5213fa0ebe965ca5a57 # v0.17.1 - - uses: imjasonh/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7 - - - name: Set LDFLAGS - id: ldflags - run: | - source ./release/ldflags.sh - goflags=$(ldflags) - echo "GO_FLAGS="${goflags}"" >> "$GITHUB_ENV" - - - name: Run GoReleaser - id: run-goreleaser - uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 - with: - version: latest - args: release --clean - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - LDFLAGS: ${{ env.GO_FLAGS }} - - - name: Generate subject - id: hash - env: - ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" - run: | - set -euo pipefail - checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') - echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT" - - - name: Set tag output - id: tag - run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT" - - provenance: - needs: [release] - permissions: - actions: read # To read the workflow path. - id-token: write # To sign the provenance. - contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 - with: - base64-subjects: "${{ needs.release.outputs.hashes }}" - upload-assets: true # upload to a new release - upload-tag-name: "${{ needs.release.outputs.tag_name }}" # Upload to tag rather than generate a new release - draft-release: true diff --git a/.github/workflows/reuseable-snapshot-timestamp.yml b/.github/workflows/reuseable-snapshot-timestamp.yml deleted file mode 100644 index c0a9f1e3..00000000 --- a/.github/workflows/reuseable-snapshot-timestamp.yml +++ /dev/null @@ -1,234 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Snapshot and Timestamp Template - -# Reusable workflow that runs snapshot and timestamp on directories. -# TODO(asraa): Create user workflows for repository-beta/, and ceremony/ flows. -on: - workflow_call: - secrets: - token: - description: > - Optional token. - This argument is passed, unchanged, to the job that creates the pull request. - required: false - inputs: - snapshot_key: - description: 'Sets the snapshotting key reference' - required: false - type: string - timestamp_key: - description: 'Sets the timestamping key reference' - required: true - type: string - branch: - description: 'The branch where the staged repository is, e.g. ceremony/2022-10-18' - required: true - type: string - repo: - description: 'Sets the repository to perform the operation on: expects relative path to GitHub repository, for example: repository' - required: false - default: repository - type: string - provider: - description: 'Sets the workflow identity provider' - required: true - type: string - service_account: - description: 'Sets the GitHub service account authorized for keys' - required: true - type: string - snapshot_timestamp: - description: 'Enables snapshot/timestamp step. During ceremonies, you may flip this to false to allow for just a publish step.' - required: false - default: true - type: boolean - disable_snapshot: - description: 'Disables snapshot and only generates timestamp.' - required: false - default: false - type: boolean - publish: - description: 'Enables publishing step. During ceremonies, you may flip this to false to allow for reviewing changes before publishing.' - required: false - default: true - type: boolean - -jobs: - snapshot_and_timestamp: - runs-on: ubuntu-latest - permissions: - id-token: 'write' - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - ref: ${{ inputs.branch }} - - name: setup - run: | - echo "GITHUB_USER=${{ github.actor }}" >> $GITHUB_ENV - echo "REPO=$(pwd)/${{ inputs.repo }}" >> $GITHUB_ENV - echo "SNAPSHOT_KEY=${{ inputs.snapshot_key }}" >> $GITHUB_ENV - echo "TIMESTAMP_KEY=${{ inputs.timestamp_key }}" >> $GITHUB_ENV - echo "BRANCH=${{ inputs.branch }}" >> $GITHUB_ENV - # Note: we set LOCAL=1 because we manually push the changes in the next job. - echo "LOCAL=1" >> $GITHUB_ENV - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - # Setup OIDC->SA auth - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 - id: auth - with: - token_format: 'access_token' - workload_identity_provider: ${{ inputs.provider }} - service_account: ${{ inputs.service_account }} - create_credentials_file: true - - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - # Note: This needs to be parameterized if the KMS keys are in a different project - project_id: sigstore-root-signing - - name: Login - run: | - gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" - gcloud auth list - - # Build binary - - name: build - run: | - sudo apt-get install libpcsclite-dev - go build -o tuf -tags=pivkey ./cmd/tuf/ - - - name: setup timestamping - if: ${{ inputs.disable_snapshot }} - run: | - echo "DISABLE_SNAPSHOT=1" >> $GITHUB_ENV - - # Snapshot and timestamp - - name: snapshot and timestamp - if: ${{ inputs.snapshot_timestamp }} - run: | - ./scripts/step-3.sh - - # Publish - - name: publish - if: ${{ inputs.publish }} - run: | - ./scripts/step-4.sh - - - name: get patch - run: | - # Setting git config is only needed to create the patch to download in the next step. - git config user.name "GitHub Actions Bot" - git config user.email "<>" - # Commit and create patch - git add . - git commit -m "snapshot and timestamp" - git format-patch HEAD^ -o snapshot-timestamp - - - name: Upload snapshot and timestamp - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 - with: - name: snapshot-timestamp - path: snapshot-timestamp - retention-days: 5 - - if-failed: - runs-on: ubuntu-latest - needs: [snapshot_and_timestamp] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.snapshot_and_timestamp.result == 'failure' - steps: - - name: Open issue or add comment on failure - uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main - with: - comment_for_each_failure: true - - if-pass: - runs-on: ubuntu-latest - needs: [snapshot_and_timestamp] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.snapshot_and_timestamp.result == 'success' - steps: - - name: Close issue if one is open - uses: sigstore/sigstore-probers/.github/actions/close-workflow-issue@main - - push: - needs: snapshot_and_timestamp - runs-on: ubuntu-latest - permissions: - pull-requests: 'write' - contents: 'write' - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - ref: ${{ inputs.branch }} - - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: snapshot-timestamp - path: snapshot-timestamp - - run: | - git checkout -b update-snapshot-timestamp - git apply --verbose snapshot-timestamp/* - rm -r snapshot-timestamp - git add ${{ inputs.repo }} - git config --global user.email "noreply@github.com" - git config --global user.name "GitHub" - - # Open pull request changes - - name: create pull request for no snapshot - if: ${{ inputs.disable_snapshot }} - run: | - git commit -s -m "Update timestamp" - git push origin update-snapshot-timestamp - GH_TOKEN=${{ secrets.token || secrets.GITHUB_TOKEN }} gh pr create -B ${{ inputs.branch }} -H update-snapshot-timestamp -t "Update Timestamp" -b "Sign timestamp file" -r bobcallaway -r haydentherapper -r kommendorkapten - - - name: create pull request for timestamp/snapshot - if: ${{ !inputs.disable_snapshot }} - run: | - git commit -s -m "Update snapshot and timestamp" - git push origin update-snapshot-timestamp - GH_TOKEN=${{ secrets.token || secrets.GITHUB_TOKEN }} gh pr create -B ${{ inputs.branch }} -H update-snapshot-timestamp -t "Update Snapshot and Timestamp" -b "Sign snapshot and timestamp files" -r bobcallaway -r haydentherapper -r kommendorkapten - - if-push-failed: - runs-on: ubuntu-latest - needs: [push] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.push.result == 'failure' - steps: - - name: Open issue or add comment on failure - uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main - with: - comment_for_each_failure: true - - if-push-pass: - runs-on: ubuntu-latest - needs: [push] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.push.result == 'success' - steps: - - name: Close issue if one is open - uses: sigstore/sigstore-probers/.github/actions/close-workflow-issue@main diff --git a/.github/workflows/review-snapshot-timestamp.yml b/.github/workflows/review-snapshot-timestamp.yml deleted file mode 100644 index f5491882..00000000 --- a/.github/workflows/review-snapshot-timestamp.yml +++ /dev/null @@ -1,39 +0,0 @@ -# -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Review Snapshot and Timestamp - -permissions: read-all - -on: - # Enable cron for checking if a snapshot/timestamp PR needs review - # every 2 hours and attempts to merge. - schedule: - - cron: '30 */2 * * *' # every 2 hours - workflow_dispatch: - -jobs: - review: - runs-on: ubuntu-latest - permissions: - pull-requests: 'write' - contents: 'write' - env: - GITHUB_TOKEN: ${{ secrets.SIGSTORE_REVIEW_BOT_FINE_GRAINED_PAT }} - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - run: | - set -euo pipefail - ./.github/workflows/scripts/review-pull-request.sh diff --git a/.github/workflows/scripts/dpop-wrapper.sh b/.github/workflows/scripts/dpop-wrapper.sh deleted file mode 100755 index bbd18492..00000000 --- a/.github/workflows/scripts/dpop-wrapper.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/env bash -# -# Copyright 2023 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -euo pipefail - -# -# This is just a thin wrapper that takes on the input from a pull request -# and parses out the name of the delegation and the signature. -# It then calls the real script which will invoke the actual verification. -# -TITLE=$1 - -DELEGATION=$(echo "${TITLE}" | sed -E 's/(.+) for (.+)/\2/') -OUTPUT=$(mktemp) -./scripts/dpop-verify.sh "${DELEGATION}" 2>&1 | tee "${OUTPUT}" diff --git a/.github/workflows/scripts/e2e-utils.sh b/.github/workflows/scripts/e2e-utils.sh deleted file mode 100644 index 07ba66be..00000000 --- a/.github/workflows/scripts/e2e-utils.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/usr/bin/env bash -# -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Gets the name of the currently running workflow file. -# Note: this requires GITHUB_TOKEN to be set in the workflows. -this_file() { - gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3 -} - -# File is BODY in current directory. -create_issue_body() { - RUN_DATE=$(date --utc) - - # see https://docs.github.com/en/actions/learn-github-actions/environment-variables - # https://docs.github.com/en/actions/learn-github-actions/contexts. - cat <BODY -Repo: https://github.com/$GITHUB_REPOSITORY/tree/$GITHUB_REF_NAME -Run: https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID -Workflow file: https://github.com/$GITHUB_REPOSITORY/tree/main/.github/workflows/$THIS_FILE -Workflow runs: https://github.com/$GITHUB_REPOSITORY/actions/workflows/$THIS_FILE -Trigger: $GITHUB_EVENT_NAME -Branch: $GITHUB_REF_NAME -Date: $RUN_DATE -EOF -} \ No newline at end of file diff --git a/.github/workflows/scripts/review-pull-request.sh b/.github/workflows/scripts/review-pull-request.sh deleted file mode 100755 index 241e7845..00000000 --- a/.github/workflows/scripts/review-pull-request.sh +++ /dev/null @@ -1,70 +0,0 @@ -#!/usr/bin/env bash -# -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -o errexit -set -o nounset -set -o pipefail - -# Gets the open snapshot/timestamp update pull requests of the repository -timestamp_update() { - gh api -H "Accept: application/vnd.github.v3+json" "/repos/${GITHUB_REPOSITORY}/pulls?head=sigstore:update-snapshot-timestamp" | jq '.[0]' | jq 'select (.!=null)' -} - -UPDATE_PR=$(timestamp_update) -if [[ -n "${UPDATE_PR}" ]]; then - PULL_NUMBER=$(echo "${UPDATE_PR}" | jq -r '.number') - TITLE=$(echo "${UPDATE_PR}" | jq -r '.title') - echo "pull request found: " - echo "${PULL_NUMBER}" - echo "${TITLE}" - - # Approve PR - curl \ - -o review_output.json \ - -X POST \ - -H "Accept: application/vnd.github+json" \ - -H "Authorization: Bearer ${GITHUB_TOKEN}" \ - https://api.github.com/repos/"${GITHUB_REPOSITORY}"/pulls/"${PULL_NUMBER}"/reviews - - echo "review: " - cat review_output.json - - # TODO: Use gh pr review PR_NUMBER --approve - REVIEW_ID=$(jq -r '.id' review_output.json) - GH_TOKEN=$GITHUB_TOKEN gh api \ - --method POST \ - -H "Accept: application/vnd.github+json" \ - /repos/"${GITHUB_REPOSITORY}"/pulls/"${PULL_NUMBER}"/reviews/"${REVIEW_ID}"/events \ - -f event='APPROVE' - - # Get login for DCO - GH_TOKEN="${GITHUB_TOKEN}" gh api \ - -H "Accept: application/vnd.github+json" \ - /user > login.json - - LOGIN=$(jq -r '.login' login.json) - # Attempt to merge PR - GH_TOKEN="${GITHUB_TOKEN}" gh api \ - --method PUT \ - -H "Accept: application/vnd.github+json" \ - /repos/"${GITHUB_REPOSITORY}"/pulls/"${PULL_NUMBER}"/merge \ - -f commit_title="${TITLE} (#${PULL_NUMBER})" \ - -f commit_message="Signed-off-by: ${LOGIN} <${LOGIN}@users.noreply.github.com>" \ - -f merge_method='merge' - -else - echo "No open snapshot/timestamp pull request found" -fi diff --git a/.github/workflows/signing-event.yml b/.github/workflows/signing-event.yml index b5d9615c..b451408e 100644 --- a/.github/workflows/signing-event.yml +++ b/.github/workflows/signing-event.yml @@ -19,6 +19,6 @@ jobs: steps: - name: Signing event - uses: theupdateframework/tuf-on-ci/actions/signing-event@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/signing-event@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/stable-snapshot-timestamp.yml b/.github/workflows/stable-snapshot-timestamp.yml deleted file mode 100644 index 4f765680..00000000 --- a/.github/workflows/stable-snapshot-timestamp.yml +++ /dev/null @@ -1,105 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Stable Snapshot and Timestamp - -permissions: read-all - -# Execute this as a weekly cron job and on changes to repository/ -# when new published metadata is submitted. -on: - # Enable cron for re-signing snapshot and timestamp every week - schedule: - - cron: '0 16 * * 2' # every Tuesday at 9am PST - # When a new root is staged - push: - branches: - - main - paths: - - 'repository/staged/root.json' - workflow_dispatch: - inputs: - dry_run: - type: boolean - default: false - description: Does not trigger job, but checks on whether the job should run. - force_snapshot: - description: 'Whether to force a snapshot. Useful if workflow is within 5 days of a ceremony' - required: false - default: false - type: boolean - -jobs: - check: - # This job checks whether snapshot/timestamp should run. - runs-on: ubuntu-latest - outputs: - block_snapshot: ${{ steps.check.outputs.block_snapshot }} - env: - FORCE_SNAPSHOT: ${{ inputs.force_snapshot }} - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - name: Determine whether to run a snapshot/timestamp - id: check - shell: bash - run: | - set -euo pipefail - - BRANCHES=$(git for-each-ref --format='%(refname:short)' | grep origin/ceremony/) - echo "${BRANCHES}" - # Check whether a ceremony was initiated within a week of the current date. - echo "block_snapshot=false" >> "${GITHUB_OUTPUT}" - - # If we force a snapshot, exit early. - if [[ "${FORCE_SNAPSHOT}" ]]; then - exit - fi - - ceremonyRegex="origin/ceremony/[0-9]{4}-[0-9]{2}-[0-9]{2}$" - for branch in ${BRANCHES} - do - if [[ "$branch" =~ ${ceremonyRegex} ]]; then - echo "found ceremony branch $branch" - branch_date=$(echo "${branch}" | cut -d '/' -f3) - days_diff=$(( ($(date -d "00:00" +%s) - $(date -d "${branch_date}" +%s)) / (24*3600) )) - if [[ "$days_diff" -lt 2 ]]; then - # Detected ceremony within 2 days of current date - echo "detected ceremony branch $branch within 2 days, stopping automated cron" - echo "block_snapshot=true" >> "${GITHUB_OUTPUT}" - fi - fi - done - - run_snapshot_timestamp_publish: - needs: check - if: (github.event_name == 'schedule' && github.repository == 'sigstore/root-signing' && needs.check.outputs.block_snapshot == 'false') || (github.event_name != 'schedule' && inputs.dry_run == false) # Don't run workflow in forks on cron - permissions: - id-token: 'write' - issues: 'write' - pull-requests: 'write' - contents: 'write' - actions: 'read' - uses: sigstore/root-signing/.github/workflows/reuseable-snapshot-timestamp.yml@main - with: - snapshot_key: 'gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/snapshot' - timestamp_key: 'gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp' - repo: 'repository/' - branch: main - provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' - service_account: 'github-actions@sigstore-root-signing.iam.gserviceaccount.com' - secrets: - token: ${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }} diff --git a/.github/workflows/stable-timestamp.yml b/.github/workflows/stable-timestamp.yml deleted file mode 100644 index fd5f643c..00000000 --- a/.github/workflows/stable-timestamp.yml +++ /dev/null @@ -1,99 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Stable Timestamp - -permissions: read-all - -# Execute this as a once a week cron job (in addition to stable-snapshot-timestamp) -on: - # Enable cron for re-signing timestamp every week. Timestamp is also - # regenerated in stable-snapshot-timestamp.yml - schedule: - - cron: '0 16 * * 5' # every Friday at 9am PST - workflow_dispatch: - inputs: - dry_run: - type: boolean - default: false - description: Does not trigger job, but checks on whether the job should run. - force_timestamp: - description: 'Whether to force a timestamp. Useful if workflow is within 5 days of a ceremony' - required: false - default: false - type: boolean - -jobs: - check: - # This job checks whether timestamp should run. - runs-on: ubuntu-latest - outputs: - block_timestamp: ${{ steps.check.outputs.block_timestamp }} - env: - FORCE_TIMESTAMP: ${{ inputs.force_timestamp }} - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - name: Determine whether to create a timestamp - id: check - shell: bash - run: | - set -euo pipefail - - BRANCHES=$(git for-each-ref --format='%(refname:short)' | grep origin/ceremony/) - echo "${BRANCHES}" - # Check whether a ceremony was initiated within a week of the current date. - echo "block_timestamp=false" >> "${GITHUB_OUTPUT}" - - # If we force a timestamp, exit early. - if [[ "${FORCE_TIMESTAMP}" ]]; then - exit - fi - - ceremonyRegex="origin/ceremony/[0-9]{4}-[0-9]{2}-[0-9]{2}$" - for branch in ${BRANCHES} - do - if [[ "$branch" =~ ${ceremonyRegex} ]]; then - echo "found ceremony branch $branch" - branch_date=$(echo "${branch}" | cut -d '/' -f3) - days_diff=$(( ($(date -d "00:00" +%s) - $(date -d "${branch_date}" +%s)) / (24*3600) )) - if [[ "$days_diff" -lt 2 ]]; then - # Detected ceremony within 2 days of current date - echo "detected ceremony branch $branch within 2 days, stopping automated cron" - echo "block_timestamp=true" >> "${GITHUB_OUTPUT}" - fi - fi - done - - run_timestamp_publish: - needs: check - if: (github.event_name == 'schedule' && github.repository == 'sigstore/root-signing' && needs.check.outputs.block_timestamp == 'false') || (github.event_name != 'schedule' && inputs.dry_run == false) # Don't run workflow in forks on cron - permissions: - id-token: 'write' - issues: 'write' - pull-requests: 'write' - contents: 'write' - actions: 'read' - uses: sigstore/root-signing/.github/workflows/reuseable-snapshot-timestamp.yml@main - with: - timestamp_key: 'gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp' - repo: 'repository/' - branch: main - provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' - service_account: 'github-actions@sigstore-root-signing.iam.gserviceaccount.com' - disable_snapshot: true - secrets: - token: ${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }} diff --git a/.github/workflows/staging-snapshot-timestamp.yml b/.github/workflows/staging-snapshot-timestamp.yml deleted file mode 100644 index 55509c54..00000000 --- a/.github/workflows/staging-snapshot-timestamp.yml +++ /dev/null @@ -1,44 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Staging Snapshot and Timestamp - -permissions: read-all - -on: - workflow_dispatch: - inputs: - branch: - description: 'The branch where the staged repository is, e.g. ceremony/2022-10-18' - required: true - type: string - -jobs: - run_snapshot_timestamp_publish: - permissions: - id-token: 'write' - issues: 'write' - pull-requests: 'write' - contents: 'write' - actions: 'read' - uses: sigstore/root-signing/.github/workflows/reuseable-snapshot-timestamp.yml@main - with: - snapshot_key: 'gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/snapshot' - timestamp_key: 'gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp' - branch: ${{ inputs.branch }} - provider: 'projects/163070369698/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' - service_account: 'github-actions@sigstore-root-signing.iam.gserviceaccount.com' - secrets: - token: ${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }} diff --git a/.github/workflows/sync-ceremony-to-main.yml b/.github/workflows/sync-ceremony-to-main.yml deleted file mode 100644 index b239d860..00000000 --- a/.github/workflows/sync-ceremony-to-main.yml +++ /dev/null @@ -1,74 +0,0 @@ -# -# Copyright 2023 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This workflow is triggered when a ceremony branch is completed, -# creating a PR that merges the completed ceremony branch to main - -name: Sync Published Ceremony Branch to Main and Preprod - -# Declare default permissions as none. -permissions: {} - -on: - workflow_dispatch: - inputs: - branch: - description: 'The branch to sync to main, generally ceremony/YYYY-MM-DD' - required: true - type: string - push: - # When any published repository metadata is changed on a ceremony/** - # branch. - branches: - - ceremony/** - paths: - - 'repository/repository/**' - -jobs: - push: - if: (github.event_name == 'schedule' && github.repository == 'sigstore/root-signing') || (github.event_name != 'schedule') # Don't run workflow in forks on cron - permissions: - pull-requests: 'write' - contents: 'write' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - ref: ${{ github.event.repository.default_branch }} - - - name: create pull request - uses: repo-sync/pull-request@7e79a9f5dc3ad0ce53138f01df2fad14a04831c5 # v2.12.1 - with: - github_token: ${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }} - # Use the input branch on workflow_dispatch, or the triggering branch on push to a ceremony/** branch. - source_branch: ${{ inputs.branch || github.ref_name }} - destination_branch: ${{ github.event.repository.default_branch }} - pr_title: "Merge ceremony branch ${{ inputs.branch || github.ref_name }} into ${{ github.event.repository.default_branch }}" - pr_body: "Merge ceremony branch to main" - pr_reviewer: bobcallaway,haydentherapper,joshuagl,kommendorkapten - - if-failed: - runs-on: ubuntu-latest - needs: [push] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.sync.result == 'failure' - steps: - - name: Open issue or add comment on failure - uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main - with: - comment_for_each_failure: true diff --git a/.github/workflows/sync-main-to-preprod-and-prod.yml b/.github/workflows/sync-main-to-preprod-and-prod.yml deleted file mode 100644 index 5b4c680c..00000000 --- a/.github/workflows/sync-main-to-preprod-and-prod.yml +++ /dev/null @@ -1,144 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This sync will execute when any combination of the following files, -# and no other files, are changed on the main branch: -# - timestamp.json -# - snapshot.json -# - [0-9]+.snapshot.json -# Under this condition, all files from the repository/repository directory -# on the main branch will sync to both preprod and prod. - -name: Sync Repository Main Branch with both GCS Preprod and Prod Buckets - -on: - push: - branches: - - main - paths: - # When timestamp or snapshot files are changed. - # Note: the sync job below uses a diff to ensure ONLY these files are changed - # prior to syncing. - - 'repository/repository/timestamp.json' - - 'repository/repository/snapshot.json' - - 'repository/repository/[0-9]+.snapshot.json' - workflow_dispatch: - -jobs: - sync: - runs-on: ubuntu-latest - permissions: - id-token: 'write' - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - # Setup OIDC->SA auth - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 - id: auth - with: - token_format: 'access_token' - workload_identity_provider: 'projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' - service_account: 'tuf-gha@project-rekor.iam.gserviceaccount.com' - create_credentials_file: true - - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - project_id: project-rekor - - name: Login - run: | - gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" - gcloud auth list - - name: check-updated-files - id: check-updated-files - run: | - # Checks whether a filename matches timestamp.json, snapshot.json, or [0-9]+.snapshot.json. If not, - # this workflow will exit as we only want to run it when ONLY these files are changed. - # TODO it may be good to check whether the [0-9]+.snapshot.json is the next one chronologically - check_filename() { - if [[ $1 != "timestamp.json" && $1 != "snapshot.json" && !($1 =~ ^[0-9]+\.snapshot.json$) ]]; then - echo "Sync main to preprod and prod workflow: Files other than timestamp and snapshot were updated in main branch, including file: $1. Not syncing, exiting." - echo "abort=true" >> $GITHUB_OUTPUT - fi; - } - # Diff main and prod to determine whether ONLY the timestamp and snapshot files have changed in main. - # If other files have also changed, exit - in this case, the sync should be to preprod only. - # NOTE other non-timestamp/snapshot changes should only occur during a ceremony, and - # will go through the sync-ceremony-* flow that hits main and preprod. This means there should never - # be changed files in prod that have not also hit the main branch. - # NOTE We deliberately diff only with prod to avoid a scenario in which the ceremony branch's sync to - # main and preprod kicks off this workflow, in which case the lack of diff between main and preprod - # could trigger this workflow to auto sync to prod. - # - # TODO this does not check whether the updates are in main or in prod, only that files differ. We could - # make this more exact later to check that the updates are in main (anything else is unexpected). - diff -qr repository/repository sigstore-tuf-root | grep -Po '([0-9\.]*\w+[\.\w+]*(?= differ))|((Only in \w+\: )\K(.*))' | while read l; do check_filename $l; done - - name: sync - id: sync - if: ${{ steps.check-updated-files.outputs.abort != 'true' }} - run: | - check_expiration() { - expiry=$(jq -r '.signed.expires' $1) - expires=$(date -d $expiry +%s) - current=$(date +%s) - if (( expires < current )); then - echo "Detected expired metadata file $1 at $expiry!" - exit 1 - fi; - } - - # Download bucket metadata - gcloud --quiet storage cp -r gs://sigstore-tuf-root/ . - - # Upload all but TUF timestamp. Once timestamp is uploaded, all other files must have been uploaded. - for f in $(ls repository/repository/ -I *timestamp.json) - do - # Check for expiration if this is a non-versioned metadata file. - # Versioned metadata like 1.root.json may be expired. - # TODO(asraa): When consistent snapshots are enabled, this logic must be changed so that - # only old versioned metadata can be expired. - if [[ $f == [^0-9]*.json ]]; then - check_expiration repository/repository/$f - fi; - - gcloud --quiet storage cp --cache-control=no-store -r repository/repository/$f gs://sigstore-preprod-tuf-root/ - gcloud --quiet storage cp --cache-control=no-store -r repository/repository/$f gs://sigstore-tuf-root/ - done - - # Upload timestamp after checking latest timestamp expiration - check_expiration repository/repository/timestamp.json - gcloud --quiet storage cp --cache-control=no-store -r repository/repository/*timestamp.json gs://sigstore-preprod-tuf-root/ - gcloud --quiet storage cp --cache-control=no-store -r repository/repository/*timestamp.json gs://sigstore-tuf-root/ - - # NOTE as this workflow runs only when timestamp or snapshot files are added or updated, there should not - # be a scenario where files that are removed from main must be synced to (removed from) preprod/prod. - gcloud compute url-maps invalidate-cdn-cache tuf-preprod-repo-cdn-lb --path "/*" --async - gcloud compute url-maps invalidate-cdn-cache tuf-repo-cdn-lb --path "/*" --async - - if-failed: - runs-on: ubuntu-latest - needs: [sync] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.sync.result == 'failure' - steps: - - name: Open issue or add comment on failure - uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main - with: - comment_for_each_failure: true diff --git a/.github/workflows/sync-main-to-preprod.yml b/.github/workflows/sync-main-to-preprod.yml deleted file mode 100644 index 4c3be18e..00000000 --- a/.github/workflows/sync-main-to-preprod.yml +++ /dev/null @@ -1,109 +0,0 @@ -# -# Copyright 2024 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This workflow is triggered a root signing completes and is merged -# into main, syncing the repository to the GCS preprod bucket - -name: Sync Published Root Signing to Preprod - -# Declare default permissions as none. -permissions: {} - -on: - workflow_dispatch: - push: - # When a root signing ceremony completes - branches: - - main - paths: - - 'repository/repository/root.json' - -jobs: - sync: - permissions: - id-token: 'write' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - # Setup OIDC->SA auth - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 - id: auth - with: - token_format: 'access_token' - workload_identity_provider: 'projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' - service_account: 'tuf-gha@project-rekor.iam.gserviceaccount.com' - create_credentials_file: true - - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - project_id: project-rekor - - name: Login - run: | - gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" - gcloud auth list - # sync - - name: sync - run: | - check_expiration() { - expiry=$(jq -r '.signed.expires' $1) - expires=$(date -d $expiry +%s) - current=$(date +%s) - if (( expires < current )); then - echo "Detected expired metadata file $1 at $expiry!" - exit 1 - fi; - } - # Upload all but TUF timestamp. Once timestamp is uploaded, all other files must have been uploaded. - for f in $(ls repository/repository/ -I *timestamp.json) - do - # Check for expiration if this is a non-versioned metadata file. - # Versioned metadata like 1.root.json may be expired. - # TODO(asraa): When consistent snapshots are enabled, this logic must be changed so that - # only old versioned metadata can be expired. - if [[ $f == [^0-9]*.json ]]; then - check_expiration repository/repository/$f - fi; - gcloud --quiet storage cp --cache-control=no-store -r repository/repository/$f gs://sigstore-preprod-tuf-root/ - done - # Upload timestamp after checking latest timestamp expiration - check_expiration repository/repository/timestamp.json - gcloud --quiet storage cp --cache-control=no-store -r repository/repository/*timestamp.json gs://sigstore-preprod-tuf-root/ - # delete any files present in sigstore-preprod-tuf-root not in repository/repository - gcloud --quiet storage cp -r gs://sigstore-preprod-tuf-root/ . - diff -qr repository/repository sigstore-preprod-tuf-root | while read l; do - if [[ $l =~ "Only in sigstore-preprod-tuf-root" ]]; then - path=$(python3 -c "import re; s='$l'; pattern=r'^Only in sigstore-preprod-tuf-root(\/?)(.*): (.*)$'; match=re.search(pattern, s); print('/'.join([match.group(2), match.group(3)]).lstrip('/'))") - gcloud --quiet storage rm gs://sigstore-preprod-tuf-root/$path - fi; - done - gcloud compute url-maps invalidate-cdn-cache tuf-preprod-repo-cdn-lb --path "/*" --async - - if-failed: - runs-on: ubuntu-latest - needs: [sync] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.sync.result == 'failure' - steps: - - name: Open issue or add comment on failure - uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main - with: - comment_for_each_failure: true diff --git a/.github/workflows/sync-preprod-to-prod.yml b/.github/workflows/sync-preprod-to-prod.yml deleted file mode 100644 index 5cfe94a0..00000000 --- a/.github/workflows/sync-preprod-to-prod.yml +++ /dev/null @@ -1,79 +0,0 @@ -# -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Sync Preprod Repository with GCS Prod Bucket - -on: - workflow_dispatch: - -jobs: - sync: - if: (github.event_name == 'schedule' && github.repository == 'sigstore/root-signing') || (github.event_name != 'schedule') # Don't run workflow in forks on cron - runs-on: ubuntu-latest - permissions: - id-token: 'write' - steps: - # Setup OIDC->SA auth - - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 - id: auth - with: - token_format: 'access_token' - workload_identity_provider: 'projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' - service_account: 'tuf-gha@project-rekor.iam.gserviceaccount.com' - create_credentials_file: true - - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - project_id: project-rekor - - name: login - run: | - gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" - gcloud auth list - - - name: sync - run: | - # download preprod bucket and copy over to production bucket - gcloud --quiet storage cp -r gs://sigstore-preprod-tuf-root/ . - - # upload all but TUF timestamp. Once timestamp is uploaded, all other files must have been uploaded. - for f in $(ls sigstore-preprod-tuf-root/ -I *timestamp.json) - do - gcloud --quiet storage cp --cache-control=no-store -r sigstore-preprod-tuf-root/$f gs://sigstore-tuf-root/ - done - # upload timestamp - gcloud --quiet storage cp --cache-control=no-store -r sigstore-preprod-tuf-root/*timestamp.json gs://sigstore-tuf-root/ - - # delete any files present in sigstore-tuf-root not in sigstore-preprod-tuf-root - gcloud --quiet storage cp -r gs://sigstore-tuf-root/ . - - diff -qr sigstore-preprod-tuf-root sigstore-tuf-root | while read l; do - if [[ $l =~ "Only in sigstore-tuf-root" ]]; then - path=$(python3 -c "import re; s='$l'; pattern=r'^Only in sigstore-tuf-root(\/?)(.*): (.*)$'; match=re.search(pattern, s); print('/'.join([match.group(2), match.group(3)]).lstrip('/'))") - gcloud --quiet storage rm gs://sigstore-tuf-root/$path - fi; - done - gcloud compute url-maps invalidate-cdn-cache tuf-repo-cdn-lb --path "/*" --async - - if-failed: - runs-on: ubuntu-latest - needs: [sync] - permissions: - issues: 'write' - actions: 'read' - if: always() && needs.sync.result == 'failure' - steps: - - name: Open issue or add comment on failure - uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main - with: - comment_for_each_failure: true diff --git a/.github/workflows/test-gcs.yml b/.github/workflows/test-gcs.yml index 4c1d7a08..c045d08f 100644 --- a/.github/workflows/test-gcs.yml +++ b/.github/workflows/test-gcs.yml @@ -3,9 +3,8 @@ name: root-signing GCS repository tests on: workflow_call: workflow_dispatch: - # disabled during migration - #schedule: - # - cron: '17 4,10,16,22 * * *' + schedule: + - cron: '17 4,10,16,22 * * *' permissions: {} @@ -19,7 +18,7 @@ jobs: run: cp metadata/root_history/5.root.json ./root.json - name: Smoke test Sigstore TUF repository with a TUF client - uses: theupdateframework/tuf-on-ci/actions/test-repository@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/test-repository@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: metadata_url: https://tuf-repo-cdn.sigstore.dev/ valid_days: 3 @@ -41,7 +40,7 @@ jobs: issues: 'write' # for modifying Issues steps: - name: Update the issue for the workflow - uses: theupdateframework/tuf-on-ci/actions/update-issue@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/update-issue@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} success: ${{ !contains(needs.*.result, 'failure') }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 950da4ff..67f1792f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -3,9 +3,8 @@ name: TUF-on-CI repository tests on: workflow_call: workflow_dispatch: - # disabled during migration - #schedule: - # - cron: '17 4,10,16,22 * * *' + schedule: + - cron: '17 4,10,16,22 * * *' permissions: {} @@ -19,7 +18,7 @@ jobs: run: cp metadata/root_history/5.root.json ./root.json - name: Smoke test TUF-on-CI repository with a TUF client - uses: theupdateframework/tuf-on-ci/actions/test-repository@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/test-repository@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: metadata_url: https://sigstore.github.io/root-signing/ update_base_url: https://tuf-repo-cdn.sigstore.dev/ @@ -42,7 +41,7 @@ jobs: issues: 'write' # for modifying Issues steps: - name: Update the issue for the workflow - uses: theupdateframework/tuf-on-ci/actions/update-issue@89d2dad3c8b626dde7a9e65b036ca35d11ab8b2a # v0.12.0 + uses: theupdateframework/tuf-on-ci/actions/update-issue@27c49c016591c7cfea57f6b15296f714a5c4a5f6 # v0.13.0 with: token: ${{ secrets.TUF_ON_CI_TOKEN || secrets.GITHUB_TOKEN }} success: ${{ !contains(needs.*.result, 'failure') }} diff --git a/.github/workflows/tuf_client_tests.yml b/.github/workflows/tuf_client_tests.yml deleted file mode 100644 index 88f1fc95..00000000 --- a/.github/workflows/tuf_client_tests.yml +++ /dev/null @@ -1,100 +0,0 @@ -# -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: TUF Client tests - -on: - workflow_dispatch: - push: - paths: - - 'repository/**' - pull_request: - -jobs: - client: - runs-on: ubuntu-latest - steps: - # Set up a repository server with python - - uses: actions/setup-python@v5 - with: - python-version: '3.x' - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 2 - - run: | - cd repository/repository/ - python -m http.server 8001 & - echo "REPO=http://localhost:8001" >> $GITHUB_ENV - # Test with go-tuf client - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - - run: | - go install github.com/theupdateframework/go-tuf/cmd/tuf-client@v0.7.0 - - run: | - # Only 5.root.json is compatible with new versions of go-tuf - if [ -f repository/repository/5.root.json ]; then - tuf-client init http://localhost:8001 repository/repository/5.root.json - tuf-client list http://localhost:8001 - fi - # Verify with a go-tuf client that can understand deprecated keys - go run ./tests/client-tests init http://localhost:8001 repository/repository/1.root.json - go run ./tests/client-tests list http://localhost:8001 - # Test with rust client - - name: Configure cargo cache - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 - with: - path: | - /tmp/tuftool-target - ~/.cargo/registry/index/ - ~/.cargo/registry/cache/ - ~/.cargo/git/db/ - key: ${{ runner.os }}-cargo-tuftool - - name: Install tuftool - run: | - # use the latest version - cargo install tuftool \ - --target-dir /tmp/tuftool-target - - run: | - tuftool download out \ - --root repository/repository/2.root.json \ - -t http://localhost:8001/targets \ - -m http://localhost:8001 - # Test with python-tuf ngclient - - run: | - python3 -m pip install securesystemslib[crypto,pynacl] "tuf>=4.0.0" - python3 tests/client-tests/python-tuf.py - - jsclient: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 - with: - node-version: 20 - - name: Install tufjs/cli - run: npm install -g @tufjs/cli - - run: | - cd repository/repository/ - python -m http.server 8001 & - - name: Download and verify root - run: | - tuf download \ - --metadata-base-url http://localhost:8001 \ - --root repository/repository/5.root.json \ - --target-name trusted_root.json diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml deleted file mode 100644 index e05144db..00000000 --- a/.github/workflows/validate.yml +++ /dev/null @@ -1,62 +0,0 @@ -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: CI Validate - -on: - push: - paths: - - 'ceremony/**' - - 'repository/**' - pull_request: - -jobs: - validate: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 2 - - run: | - echo "REPO=$(pwd)/repository" >> $GITHUB_ENV - echo "CDN_REPO=https://tuf-repo-cdn.sigstore.dev" >> $GITHUB_ENV - echo "CDN_PREPROD_REPO=https://tuf-preprod-repo-cdn.sigstore.dev" >> $GITHUB_ENV - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: './go.mod' - check-latest: true - - name: install deps - run: | - sudo apt-get install libpcsclite-dev - curl -fsO https://developers.yubico.com/PIV/Introduction/piv-attestation-ca.pem - - name: build - run: go build -o verify ./cmd/verify/ - - name: build - run: go build -o tuf -tags=pivkey ./cmd/tuf - - name: verify local published repository - run: ./verify repository --repository $REPO --root $(pwd)/ceremony/2021-06-18/repository/root.json - - name: verify CDN remote published repository - run: ./verify repository --repository $CDN_REPO --root $(pwd)/ceremony/2021-06-18/repository/root.json - - name: verify CDN preprod remote published repository - run: ./verify repository --repository $CDN_PREPROD_REPO --root $(pwd)/ceremony/2021-06-18/repository/root.json - - name: verify staged ceremony changes - run: | - set -euo pipefail - export CHANGED=$(git diff --name-only HEAD^ HEAD ceremony/20* | grep ".*staged.*" | head -1) - echo "$CHANGED" - if [ -n "$CHANGED" ]; then - export REPO=$(echo "$CHANGED" | cut -d/ -f 1-2) - ./verify repository --repository "$REPO" --staged true - fi diff --git a/metadata/registry.npmjs.org.json b/metadata/registry.npmjs.org.json index 95385760..3cbdcb3b 100755 --- a/metadata/registry.npmjs.org.json +++ b/metadata/registry.npmjs.org.json @@ -1,17 +1,13 @@ { "signatures": [ { - "keyid": "3b60e337a003f0465d881e34051b1350f0041b931bd68d95ce2066c81d36de1b", - "sig": "3046022100af26e7c415a1d724ace269d9498a83daadde0b55f155a4c95b431764bab85b7b02210091f5ae0acfe832cd71ba8249d784208ea265f7d103f6a0c92f75aeb939b9be33" - }, - { - "keyid": "a89d235ee2f298d757438c7473b11b0b7b42ff1a45f1dfaac4c014183d6f8c45", - "sig": "3046022100af26e7c415a1d724ace269d9498a83daadde0b55f155a4c95b431764bab85b7b02210091f5ae0acfe832cd71ba8249d784208ea265f7d103f6a0c92f75aeb939b9be33" + "keyid": "5e3a4021b11a425fd0a444f1670457ce5b15bbe036144f2417426f7f4b9721da", + "sig": "3046022100a2137aaf3a0dbde3e858b5507cc60596379c859f37b4a4b60e7175497d862e9d022100b4feabf83b0b90973256f0c3dfab9d1ca8eedce2cf04a5f03cb06944604c8229" } ], "signed": { "_type": "targets", - "expires": "2024-09-12T06:13:15Z", + "expires": "2025-02-19T07:59:33Z", "spec_version": "1.0", "targets": { "registry.npmjs.org/keys.json": { @@ -22,6 +18,8 @@ "length": 1017 } }, - "version": 3 + "version": 4, + "x-tuf-on-ci-expiry-period": 182, + "x-tuf-on-ci-signing-period": 31 } } \ No newline at end of file diff --git a/metadata/root.json b/metadata/root.json index 7cca2eb1..3f18ee74 100755 --- a/metadata/root.json +++ b/metadata/root.json @@ -1,52 +1,52 @@ { "signatures": [ { - "keyid": "ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c", - "sig": "30450221008b78f894c3cfed3bd486379c4e0e0dfb3e7dd8cbc4d5598d2818eea1ba3c7550022029d3d06e89d04d37849985dc46c0e10dc5b1fc68dc70af1ec9910303a1f3ee2f" + "keyid": "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", + "sig": "30460221008ab1f6f17d4f9e6d7dcf1c88912b6b53cc10388644ae1f09bc37a082cd06003e022100e145ef4c7b782d4e8107b53437e669d0476892ce999903ae33d14448366996e7" }, { - "keyid": "25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99", - "sig": "30450221009e6b90b935e09b837a90d4402eaa27d5ea26eb7891948ba0ed7090841248f436022003dc2251c4d4a7999b91e9ad0868765ae09ac7269279f2a7899bafef7a2d9260" + "keyid": "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", + "sig": "3045022100c768b2f86da99569019c160a081da54ae36c34c0a3120d3cb69b53b7d113758e02204f671518f617b20d46537fae6c3b63bae8913f4f1962156105cc4f019ac35c6a" }, { - "keyid": "f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f", - "sig": "30440220099e907dcf90b7b6e109fd1d6e442006fccbb48894aaaff47ab824b03fb35d0d02202aa0a06c21a4233f37900a48bc8777d3b47f59e3a38616ce631a04df57f96736" + "keyid": "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", + "sig": "3045022100b4434e6995d368d23e74759acd0cb9013c83a5d3511f0f997ec54c456ae4350a022015b0e265d182d2b61dc74e155d98b3c3fbe564ba05286aa14c8df02c9b756516" }, { - "keyid": "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e", - "sig": "30450221008b78f894c3cfed3bd486379c4e0e0dfb3e7dd8cbc4d5598d2818eea1ba3c7550022029d3d06e89d04d37849985dc46c0e10dc5b1fc68dc70af1ec9910303a1f3ee2f" + "keyid": "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", + "sig": "304502210082c58411d989eb9f861410857d42381590ec9424dbdaa51e78ed13515431904e0220118185da6a6c2947131c17797e2bb7620ce26e5f301d1ceac5f2a7e58f9dcf2e" }, { - "keyid": "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e", - "sig": "30450221009e6b90b935e09b837a90d4402eaa27d5ea26eb7891948ba0ed7090841248f436022003dc2251c4d4a7999b91e9ad0868765ae09ac7269279f2a7899bafef7a2d9260" + "keyid": "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70", + "sig": "3046022100c78513854cae9c32eaa6b88e18912f48006c2757a258f917312caba75948eb9e022100d9e1b4ce0adfe9fd2e2148d7fa27a2f40ba1122bd69da7612d8d1776b013c91d" }, { - "keyid": "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523", - "sig": "304502200e5613b901e0f3e08eceabddc73f98b50ddf892e998d0b369c6e3d451ac48875022100940cf92d1f43ee2e5cdbb22572bb52925ed3863a688f7ffdd4bd2e2e56f028b3" + "keyid": "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f", + "sig": "3045022056483a2d5d9ea9cec6e11eadfb33c484b614298faca15acf1c431b11ed7f734c022100d0c1d726af92a87e4e66459ca5adf38a05b44e1f94318423f954bae8bca5bb2e" }, { - "keyid": "2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de", - "sig": "304502202cff44f2215d7a47b28b8f5f580c2cfbbd1bfcfcbbe78de323045b2c0badc5e9022100c743949eb3f4ea5a4b9ae27ac6eddea1f0ff9bfd004f8a9a9d18c6e4142b6e75" + "keyid": "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523", + "sig": "3046022100d004de88024c32dc5653a9f4843cfc5215427048ad9600d2cf9c969e6edff3d2022100d9ebb798f5fc66af10899dece014a8628ccf3c5402cd4a4270207472f8f6e712" }, { - "keyid": "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849", - "sig": "30440220099e907dcf90b7b6e109fd1d6e442006fccbb48894aaaff47ab824b03fb35d0d02202aa0a06c21a4233f37900a48bc8777d3b47f59e3a38616ce631a04df57f96736" + "keyid": "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e", + "sig": "3046022100b7b09996c45ca2d4b05603e56baefa29718a0b71147cf8c6e66349baa61477df022100c4da80c717b4fa7bba0fd5c72da8a0499358b01358b2309f41d1456ea1e7e1d9" }, { - "keyid": "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f", - "sig": "304502202cff44f2215d7a47b28b8f5f580c2cfbbd1bfcfcbbe78de323045b2c0badc5e9022100c743949eb3f4ea5a4b9ae27ac6eddea1f0ff9bfd004f8a9a9d18c6e4142b6e75" + "keyid": "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e", + "sig": "3046022100be9782c30744e411a82fa85b5138d601ce148bc19258aec64e7ec24478f38812022100caef63dcaf1a4b9a500d3bd0e3f164ec18f1b63d7a9460d9acab1066db0f016d" }, { - "keyid": "7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b", - "sig": "304502200e5613b901e0f3e08eceabddc73f98b50ddf892e998d0b369c6e3d451ac48875022100940cf92d1f43ee2e5cdbb22572bb52925ed3863a688f7ffdd4bd2e2e56f028b3" + "keyid": "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849", + "sig": "30450220746ec3f8534ce55531d0d01ff64964ef440d1e7d2c4c142409b8e9769f1ada6f022100e3b929fcd93ea18feaa0825887a7210489879a66780c07a83f4bd46e2f09ab3b" } ], "signed": { "_type": "root", "consistent_snapshot": true, - "expires": "2024-09-12T06:53:10Z", + "expires": "2025-02-19T08:04:32Z", "keys": { - "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849": { + "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06": { "keyid_hash_algorithms": [ "sha256", "sha512" @@ -55,20 +55,22 @@ "keyval": { "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzBzVOmHCPojMVLSI364WiiV8NPrD\n6IgRxVliskz/v+y3JER5mcVGcONliDcWMC5J2lfHmjPNPhb4H7xm8LzfSA==\n-----END PUBLIC KEY-----\n" }, - "scheme": "ecdsa-sha2-nistp256" + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@santiagotorres" }, - "230e212616274a4195cdc28e9fce782c20e6c720f1a811b40f98228376bdd3ac": { + "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222": { "keyid_hash_algorithms": [ "sha256", "sha512" ], "keytype": "ecdsa", "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELrWvNt94v4R085ELeeCMxHp7PldF\n0/T1GxukUh2ODuggLGJE0pc1e8CSBf6CS91Fwo9FUOuRsjBUld+VqSyCdQ==\n-----END PUBLIC KEY-----\n" + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEinikSsAQmYkNeH5eYq/CnIzLaacO\nxlSaawQDOwqKy/tCqxq5xxPSJc21K4WIhs9GyOkKfzueY3GILzcMJZ4cWw==\n-----END PUBLIC KEY-----\n" }, - "scheme": "ecdsa-sha2-nistp256" + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@bobcallaway" }, - "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e": { + "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3": { "keyid_hash_algorithms": [ "sha256", "sha512" @@ -77,9 +79,10 @@ "keyval": { "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEy8XKsmhBYDI8Jc0GwzBxeKax0cm5\nSTKEU65HPFunUn41sT8pi0FjM4IkHz/YUmwmLUO0Wt7lxhj6BkLIK4qYAw==\n-----END PUBLIC KEY-----\n" }, - "scheme": "ecdsa-sha2-nistp256" + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@dlorenc" }, - "923bb39e60dd6fa2c31e6ea55473aa93b64dd4e53e16fbe42f6a207d3f97de2d": { + "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c": { "keyid_hash_algorithms": [ "sha256", "sha512" @@ -88,20 +91,22 @@ "keyval": { "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWRiGr5+j+3J5SsH+Ztr5nE2H2wO7\nBV+nO3s93gLca18qTOzHY1oWyAGDykMSsGTUBSt9D+An0KfKsD2mfSM42Q==\n-----END PUBLIC KEY-----\n" }, - "scheme": "ecdsa-sha2-nistp256" + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-online-uri": "gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp" }, - "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523": { + "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70": { "keyid_hash_algorithms": [ "sha256", "sha512" ], "keytype": "ecdsa", "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEinikSsAQmYkNeH5eYq/CnIzLaacO\nxlSaawQDOwqKy/tCqxq5xxPSJc21K4WIhs9GyOkKfzueY3GILzcMJZ4cWw==\n-----END PUBLIC KEY-----\n" + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0ghrh92Lw1Yr3idGV5WqCtMDB8Cx\n+D8hdC4w2ZLNIplVRoVGLskYa3gheMyOjiJ8kPi15aQ2//7P+oj7UvJPGw==\n-----END PUBLIC KEY-----\n" }, - "scheme": "ecdsa-sha2-nistp256" + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@joshuagl" }, - "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e": { + "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2": { "keyid_hash_algorithms": [ "sha256", "sha512" @@ -110,55 +115,51 @@ "keyval": { "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEXsz3SZXFb8jMV42j6pJlyjbjR8K\nN3Bwocexq6LMIb5qsWKOQvLN16NUefLc4HswOoumRsVVaajSpQS6fobkRw==\n-----END PUBLIC KEY-----\n" }, - "scheme": "ecdsa-sha2-nistp256" - }, - "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa", - "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0ghrh92Lw1Yr3idGV5WqCtMDB8Cx\n+D8hdC4w2ZLNIplVRoVGLskYa3gheMyOjiJ8kPi15aQ2//7P+oj7UvJPGw==\n-----END PUBLIC KEY-----\n" - }, - "scheme": "ecdsa-sha2-nistp256" + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@mnm678" } }, "roles": { "root": { "keyids": [ - "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e", - "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e", - "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849", - "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523", - "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f" + "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", + "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", + "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", + "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", + "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70" ], "threshold": 3 }, "snapshot": { "keyids": [ - "230e212616274a4195cdc28e9fce782c20e6c720f1a811b40f98228376bdd3ac" + "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c" ], - "threshold": 1 + "threshold": 1, + "x-tuf-on-ci-expiry-period": 3650, + "x-tuf-on-ci-signing-period": 365 }, "targets": { "keyids": [ - "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e", - "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e", - "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849", - "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523", - "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f" + "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", + "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", + "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", + "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", + "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70" ], "threshold": 3 }, "timestamp": { "keyids": [ - "923bb39e60dd6fa2c31e6ea55473aa93b64dd4e53e16fbe42f6a207d3f97de2d" + "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c" ], - "threshold": 1 + "threshold": 1, + "x-tuf-on-ci-expiry-period": 7, + "x-tuf-on-ci-signing-period": 4 } }, "spec_version": "1.0", - "version": 9 + "version": 10, + "x-tuf-on-ci-expiry-period": 182, + "x-tuf-on-ci-signing-period": 31 } } \ No newline at end of file diff --git a/metadata/root_history/10.root.json b/metadata/root_history/10.root.json new file mode 100644 index 00000000..3f18ee74 --- /dev/null +++ b/metadata/root_history/10.root.json @@ -0,0 +1,165 @@ +{ + "signatures": [ + { + "keyid": "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", + "sig": "30460221008ab1f6f17d4f9e6d7dcf1c88912b6b53cc10388644ae1f09bc37a082cd06003e022100e145ef4c7b782d4e8107b53437e669d0476892ce999903ae33d14448366996e7" + }, + { + "keyid": "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", + "sig": "3045022100c768b2f86da99569019c160a081da54ae36c34c0a3120d3cb69b53b7d113758e02204f671518f617b20d46537fae6c3b63bae8913f4f1962156105cc4f019ac35c6a" + }, + { + "keyid": "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", + "sig": "3045022100b4434e6995d368d23e74759acd0cb9013c83a5d3511f0f997ec54c456ae4350a022015b0e265d182d2b61dc74e155d98b3c3fbe564ba05286aa14c8df02c9b756516" + }, + { + "keyid": "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", + "sig": "304502210082c58411d989eb9f861410857d42381590ec9424dbdaa51e78ed13515431904e0220118185da6a6c2947131c17797e2bb7620ce26e5f301d1ceac5f2a7e58f9dcf2e" + }, + { + "keyid": "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70", + "sig": "3046022100c78513854cae9c32eaa6b88e18912f48006c2757a258f917312caba75948eb9e022100d9e1b4ce0adfe9fd2e2148d7fa27a2f40ba1122bd69da7612d8d1776b013c91d" + }, + { + "keyid": "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f", + "sig": "3045022056483a2d5d9ea9cec6e11eadfb33c484b614298faca15acf1c431b11ed7f734c022100d0c1d726af92a87e4e66459ca5adf38a05b44e1f94318423f954bae8bca5bb2e" + }, + { + "keyid": "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523", + "sig": "3046022100d004de88024c32dc5653a9f4843cfc5215427048ad9600d2cf9c969e6edff3d2022100d9ebb798f5fc66af10899dece014a8628ccf3c5402cd4a4270207472f8f6e712" + }, + { + "keyid": "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e", + "sig": "3046022100b7b09996c45ca2d4b05603e56baefa29718a0b71147cf8c6e66349baa61477df022100c4da80c717b4fa7bba0fd5c72da8a0499358b01358b2309f41d1456ea1e7e1d9" + }, + { + "keyid": "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e", + "sig": "3046022100be9782c30744e411a82fa85b5138d601ce148bc19258aec64e7ec24478f38812022100caef63dcaf1a4b9a500d3bd0e3f164ec18f1b63d7a9460d9acab1066db0f016d" + }, + { + "keyid": "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849", + "sig": "30450220746ec3f8534ce55531d0d01ff64964ef440d1e7d2c4c142409b8e9769f1ada6f022100e3b929fcd93ea18feaa0825887a7210489879a66780c07a83f4bd46e2f09ab3b" + } + ], + "signed": { + "_type": "root", + "consistent_snapshot": true, + "expires": "2025-02-19T08:04:32Z", + "keys": { + "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06": { + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzBzVOmHCPojMVLSI364WiiV8NPrD\n6IgRxVliskz/v+y3JER5mcVGcONliDcWMC5J2lfHmjPNPhb4H7xm8LzfSA==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@santiagotorres" + }, + "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222": { + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEinikSsAQmYkNeH5eYq/CnIzLaacO\nxlSaawQDOwqKy/tCqxq5xxPSJc21K4WIhs9GyOkKfzueY3GILzcMJZ4cWw==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@bobcallaway" + }, + "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3": { + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEy8XKsmhBYDI8Jc0GwzBxeKax0cm5\nSTKEU65HPFunUn41sT8pi0FjM4IkHz/YUmwmLUO0Wt7lxhj6BkLIK4qYAw==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@dlorenc" + }, + "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c": { + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWRiGr5+j+3J5SsH+Ztr5nE2H2wO7\nBV+nO3s93gLca18qTOzHY1oWyAGDykMSsGTUBSt9D+An0KfKsD2mfSM42Q==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-online-uri": "gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp" + }, + "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70": { + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0ghrh92Lw1Yr3idGV5WqCtMDB8Cx\n+D8hdC4w2ZLNIplVRoVGLskYa3gheMyOjiJ8kPi15aQ2//7P+oj7UvJPGw==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@joshuagl" + }, + "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2": { + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEXsz3SZXFb8jMV42j6pJlyjbjR8K\nN3Bwocexq6LMIb5qsWKOQvLN16NUefLc4HswOoumRsVVaajSpQS6fobkRw==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@mnm678" + } + }, + "roles": { + "root": { + "keyids": [ + "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", + "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", + "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", + "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", + "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70" + ], + "threshold": 3 + }, + "snapshot": { + "keyids": [ + "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c" + ], + "threshold": 1, + "x-tuf-on-ci-expiry-period": 3650, + "x-tuf-on-ci-signing-period": 365 + }, + "targets": { + "keyids": [ + "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", + "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", + "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", + "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", + "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70" + ], + "threshold": 3 + }, + "timestamp": { + "keyids": [ + "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c" + ], + "threshold": 1, + "x-tuf-on-ci-expiry-period": 7, + "x-tuf-on-ci-signing-period": 4 + } + }, + "spec_version": "1.0", + "version": 10, + "x-tuf-on-ci-expiry-period": 182, + "x-tuf-on-ci-signing-period": 31 + } +} \ No newline at end of file diff --git a/metadata/targets.json b/metadata/targets.json index 8e88fdc3..e5993f84 100755 --- a/metadata/targets.json +++ b/metadata/targets.json @@ -1,46 +1,43 @@ { "signatures": [ { - "keyid": "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e", - "sig": "30440220764f1edad367a55d340eb7a97c0c8f847c47fa3fd05cadf3e246ee8ced7e504002200ebe44b01d6f59a348041c3845dda0980754893ddc1a9c8bfaa98e6b1f0b4627" + "keyid": "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", + "sig": "3045022100cffdd70aff94fab0127ac749c64449d5f644c7195971bfdca57879d5f645ab960220129ed6aeb07a57d9554af28941543bbb58f28c4c60d28a819f2294d290ff6cd9" }, { - "keyid": "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e", - "sig": "304502202d4955e47ab4a6ba6aaaa372bf50084e3cea0149da09f28807285fa306af38ae022100947cb4f41332f3f3215b78ccb897177e122f3de7e682ac19f8f3c835bbdc75f4" + "keyid": "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", + "sig": "30450220208c663d230a0ebb3a2b964020d019394112e216d4964c743ad2e61cebc43b52022100c2964f3fa7e77cd3abe13640d91b53d1a294470b65211a42f3f7764064c28ce4" }, { - "keyid": "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849", - "sig": "3045022015062f271a9cab84d5ffdbf878a42a4fc0754c1fa91822e38242af3546eaada8022100f0d766d4aca8ba675cf0b715104b765f81b4772cb53915db253fc437980e9e76" + "keyid": "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", + "sig": "304502210093afa3a6d28f67f6aace8c6c5258282ec0784ce82da93589e2870b522c1b685502205374c8871e12e07f856f83e780b626dd5a00a032285d4436f615cdb9d637c3c3" }, { - "keyid": "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523", - "sig": "3045022100cccbbbfa8a87a648f6cd18f881b6643bb2fcb5f812678af5f1ed676e574eae3902200faaf1083c5bc95471ba6d1c7da1d7fcbabfaa32cdc27c215ef9b58b4c3d41c0" + "keyid": "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", + "sig": "3044022006b5eae637d0b66f4f72759f86e86840f6a9a580b3baf7303a046d8fac1c0872022053c1b8a6fbce7e37a7e46501019a160f4d833efb48e7ca5bd274df54b2bbce3f" }, { - "keyid": "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f", - "sig": "304402203161c4a74acc63ea50af6f78e32248366bad10d823fe38ca190780ca70cf1124022051dd0734f33253304a814e10e0387a82770ee6905ace85c03b645df1109a6b38" + "keyid": "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70", + "sig": "304502203d51eac2b34f6f06178e86e484d192f7a40b53df47e2ba0540d2e5a397d1e92b0221009833e3bb41c3bd28bc1adc06a74e5e7c73a6c9d9a1648ab558cfbdd380a2c4e2" } ], "signed": { "_type": "targets", "delegations": { "keys": { - "3b60e337a003f0465d881e34051b1350f0041b931bd68d95ce2066c81d36de1b": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], + "5e3a4021b11a425fd0a444f1670457ce5b15bbe036144f2417426f7f4b9721da": { "keytype": "ecdsa", "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoLrh0jmOfHWLwsyo/4oGbldF91WV\nfXvxVlDhW8fZwP/3vTnliBkDp5sH8/Dpm1SBOHkqENVt1+4Un/sFtl2zAQ==\n-----END PUBLIC KEY-----\n" + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVfei1dXQRVeArCMcTDgxJtYg+Fs7\nV87DjhQbGlRJPyC7SW5TbNNkmvpmi4LeTv6moLVZ7T2nVqiRZbSkD+cf8w==\n-----END PUBLIC KEY-----\n" }, - "scheme": "ecdsa-sha2-nistp256" + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-online-uri": "azurekms://npm-tuf-delegate.vault.azure.net/keys/npm-tuf-delegate-2024-08/e2772c1d01ca400da571096889f1660e" } }, "roles": [ { "keyids": [ - "3b60e337a003f0465d881e34051b1350f0041b931bd68d95ce2066c81d36de1b" + "5e3a4021b11a425fd0a444f1670457ce5b15bbe036144f2417426f7f4b9721da" ], "name": "registry.npmjs.org", "paths": [ @@ -51,7 +48,7 @@ } ] }, - "expires": "2024-09-12T06:13:15Z", + "expires": "2034-08-24T07:16:33Z", "spec_version": "1.0", "targets": { "artifact.pub": { @@ -159,6 +156,8 @@ "length": 7014 } }, - "version": 9 + "version": 10, + "x-tuf-on-ci-expiry-period": 3650, + "x-tuf-on-ci-signing-period": 31 } } \ No newline at end of file