tuf-on-ci-sign can be used to sign with either a hardware key with PIV support (e.g.
a Yubikey) or a Sigstore identity.
A hardware signing key must contain a PIV Digital Signature private key to be used with TUF-on-CI. TUF-on-CI also needs access to a PKCS#11 module.
-
Generate a PIV signing key on your hardware key if you don't have one yet. For YubiKey owners, follow the YubiKey setup instructions.
-
Install a PKCS#11 module. TUF-on-CI has been tested with the Yubico ykcs11. Debian users can install it with
$ apt install ykcs11
macOS users can install with
$ brew install yubico-piv-tool
NOTE: Windows WSL users may need to attach a USB hardware device using usbipd-win
To use Sigstore as a signing method, you will need an account in one of the compatible identity providers (GitHub, Google or Microsoft).
pip install tuf-on-ci-signNote: macOS users may have to install swig in case the above wheel build fails
$ brew install swiggit clonethe repository you are a signer for- If you are not a GitHub maintainer of the repository, fork the repository on GitHub and add your fork as a remote in your local git clone
- Create a local configuration file
.tuf-on-ci-sign.iniin the repository directory (either manually or by running thesigner/create-config-file.shscript included in TUF-on-CI sources):
[settings]
# Path to PKCS#11 module (optional)
# If not provided, tuf-on-ci-sign will probe some known install locations
# pykcs11lib = /usr/lib/x86_64-linux-gnu/libykcs11.so
# GitHub username
user-name = @my-github-username
# pull-remote: the git remote name of the TUF repository
pull-remote = origin
# push-remote: If you are allowed to push to the TUF repository, you can use the same value
# as pull-remote. Otherwise use the remote name of your fork
push-remote = origin