Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Signing event: sign/migration #1323

Merged
merged 20 commits into from
Aug 30, 2024
Merged

Signing event: sign/migration #1323

merged 20 commits into from
Aug 30, 2024

Conversation

sigstore-bot
Copy link
Member

Processing signing event sign/migration, please wait.

Signed-off-by: Jussi Kukkonen <[email protected]>
@sigstore-bot
Copy link
Member Author

Current signing event state

Event sign/migration (commit 74805e7)

❌ root

Role root is unsigned and not yet verified
Still missing signatures from @dlorenc, @mnm678, @joshuagl, @SantiagoTorres, @bobcallaway
Signers can sign these changes by running tuf-on-ci-sign sign/migration
Error: Timestamp and Snapshot signers differ

❌ targets

Role targets is unsigned and not yet verified
Still missing signatures from @mnm678, @SantiagoTorres, @dlorenc, @bobcallaway, @joshuagl
Signers can sign these changes by running tuf-on-ci-sign sign/migration

❌ registry.npmjs.org

Role registry.npmjs.org is unsigned and not yet verified
Still missing signatures from @-npm-signer
Signers can sign these changes by running tuf-on-ci-sign sign/migration

@sigstore-bot
Copy link
Member Author

Current signing event state

Event sign/migration (commit e7de4ec)

❌ root

Role root is unsigned and not yet verified
Still missing signatures from @SantiagoTorres, @bobcallaway, @mnm678, @joshuagl, @dlorenc
Signers can sign these changes by running tuf-on-ci-sign sign/migration

❌ targets

Role targets is unsigned and not yet verified
Still missing signatures from @mnm678, @joshuagl, @SantiagoTorres, @bobcallaway, @dlorenc
Signers can sign these changes by running tuf-on-ci-sign sign/migration

❌ registry.npmjs.org

Role registry.npmjs.org is unsigned and not yet verified
Still missing signatures from @-npm-signer
Signers can sign these changes by running tuf-on-ci-sign sign/migration

@jku
Copy link
Member

jku commented Aug 21, 2024

Current status:

  • import went seemingly well
  • online roles (snapshot, timestamp) have been updated
  • TODO: npmjs role needs a online-url
  • TODO: artifact changes, if any

No action is required from keyholders at this point

@jku jku linked an issue Aug 21, 2024 that may be closed by this pull request
Note that deployment to GCS is still commented out in publish workflow.

Signed-off-by: Jussi Kukkonen <[email protected]>
Delete legacy (meaning non- tuf-on-ci)
 * timestamp and snapshot workflows
 * GCS uploading workflows
 * signing event management workflows (dealing with "ceremony/" dirs)
 * various verification workflows: now handled by the
   tuf-on-ci tests and custom-test.yml

Remove these outright to prevent accidental changes to metadata from two
different maintenance systems.

If it turns out the migration will not be successful in the timeframe it
has, the PR that contains this commit needs to be reverted so the legacy
system can continue operation.

Signed-off-by: Jussi Kukkonen <[email protected]>
'registry.npmjs.org' role/delegation change
@sigstore-bot
Copy link
Member Author

Current signing event state

Event sign/migration (commit 6697742)

❌ root

Role root is unsigned and not yet verified
Still missing signatures from @dlorenc, @mnm678, @joshuagl, @bobcallaway, @SantiagoTorres
Signers can sign these changes by running tuf-on-ci-sign sign/migration

❌ targets

Role targets is unsigned and not yet verified
Still missing signatures from @mnm678, @bobcallaway, @SantiagoTorres, @dlorenc, @joshuagl
Signers can sign these changes by running tuf-on-ci-sign sign/migration

❌ registry.npmjs.org

Role registry.npmjs.org is unsigned and not yet verified
Still missing signatures from azurekms://npm-tuf-delegate.vault.azure.net/keys/npm-tuf-delegate-2024-08/e2772c1d01ca400da571096889f1660e
Signers can sign these changes by running tuf-on-ci-sign sign/migration

@jku
Copy link
Member

jku commented Aug 26, 2024

Current status:

Signed-off-by: Fredrik Skogman <[email protected]>
@jku
Copy link
Member

jku commented Aug 26, 2024

Bob commented correctly that the key changes are difficult to review. I'll try to document here:

  • keyholders for root/targets or their public keys have not changed
  • there are two real key changes: npmjs.org key changed (Updated registry.npmjs.org delegation. #961) and snapshot role now uses the same key as timestamp
  • All keyids in root changed because additional metadata was included in the key and that requires changing keyid
  • keys are ordered by keyid... so the order has changed: this makes reading the diff awful. Sorry about that
  • At least from now on there is a "keyowner" field that documents whose key it is supposed to be

I'm not sure if this helps but

# print original public keys defined in root
git show origin/main:metadata/root.json | jq '.signed.keys[].keyval.public' | sort
# print public keys defined in root in the signing event
git show origin/sign/migration:metadata/root.json | jq '.signed.keys[].keyval.public' | sort
# the only difference is that one key has been removed (snapshot, since it uses the same key as timestamp now)

The keyids for root and targets keyowners are listed below (the public keys themselves are unchanged):

keyholder old keyid new keyid
Joshua fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70
Bob e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523 61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222
Dan 3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e 6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3
Marina ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2
Santiago 1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849 22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06

@sigstore-bot
Copy link
Member Author

Current signing event state

Event sign/migration (commit 773340f)

❌ root

Role root is unsigned and not yet verified
Still missing signatures from @SantiagoTorres, @dlorenc, @bobcallaway, @mnm678, @joshuagl
Signers can sign these changes by running tuf-on-ci-sign sign/migration

❌ targets

Role targets is unsigned and not yet verified
Still missing signatures from @SantiagoTorres, @dlorenc, @joshuagl, @bobcallaway, @mnm678
Signers can sign these changes by running tuf-on-ci-sign sign/migration

✅ registry.npmjs.org

Role registry.npmjs.org is verified and signed by 1/1 signers (azurekms://npm-tuf-delegate.vault.azure.net/keys/npm-tuf-delegate-2024-08/e2772c1d01ca400da571096889f1660e).

@jku
Copy link
Member

jku commented Aug 26, 2024

On more thing to help look at the key changes: https://gist.github.com/jku/ae2db6918e6aa960122cba0e2a1e4232. When this is executed (with the signing event branch checked out), it prints out root keyowners, keyids and the corresponding old keyids.

This should prove that the only thing that changes in the key is the one added field

@joshuagl
Copy link
Member

Thanks for providing the script. It's useful for both its ouputs and for conveying why the keyids changed.
I reviewed the script and it's ouput for my keyid (only). LGTM.

@sigstore-bot
Copy link
Member Author

Current signing event state

Event sign/migration (commit c1327c1)

❌ root

Role root is not yet verified. It is signed by 0/3 (1/3) signers (@joshuagl).
Still missing signatures from @mnm678, @dlorenc, @SantiagoTorres, @bobcallaway
Signers can sign these changes by running tuf-on-ci-sign sign/migration

❌ targets

Role targets is not yet verified. It is signed by 1/3 signers (@joshuagl).
Still missing signatures from @mnm678, @dlorenc, @SantiagoTorres, @bobcallaway
Signers can sign these changes by running tuf-on-ci-sign sign/migration

✅ registry.npmjs.org

Role registry.npmjs.org is verified and signed by 1/1 signers (azurekms://npm-tuf-delegate.vault.azure.net/keys/npm-tuf-delegate-2024-08/e2772c1d01ca400da571096889f1660e).

@sigstore-bot
Copy link
Member Author

Current signing event state

Event sign/migration (commit a3b0256)

❌ root

Role root is not yet verified. It is signed by 0/3 (2/3) signers (@joshuagl, @bobcallaway).
Still missing signatures from @mnm678, @dlorenc, @SantiagoTorres
Signers can sign these changes by running tuf-on-ci-sign sign/migration

❌ targets

Role targets is not yet verified. It is signed by 2/3 signers (@joshuagl, @bobcallaway).
Still missing signatures from @mnm678, @dlorenc, @SantiagoTorres
Signers can sign these changes by running tuf-on-ci-sign sign/migration

✅ registry.npmjs.org

Role registry.npmjs.org is verified and signed by 1/1 signers (azurekms://npm-tuf-delegate.vault.azure.net/keys/npm-tuf-delegate-2024-08/e2772c1d01ca400da571096889f1660e).

Signed-off-by: Dan Lorenc <[email protected]>
@sigstore-bot
Copy link
Member Author

Current signing event state

Event sign/migration (commit 1b65f7d)

✅ root

Role root is verified and signed by 0/3 (3/3) signers (@bobcallaway, @joshuagl, @dlorenc).
Still missing signatures from @mnm678, @SantiagoTorres
Signers can sign these changes by running tuf-on-ci-sign sign/migration

✅ targets

Role targets is verified and signed by 3/3 signers (@bobcallaway, @joshuagl, @dlorenc).
Still missing signatures from @mnm678, @SantiagoTorres
Signers can sign these changes by running tuf-on-ci-sign sign/migration

✅ registry.npmjs.org

Role registry.npmjs.org is verified and signed by 1/1 signers (azurekms://npm-tuf-delegate.vault.azure.net/keys/npm-tuf-delegate-2024-08/e2772c1d01ca400da571096889f1660e).

Signing event is successful

Threshold of signatures has been reached: this signing event can be reviewed and merged.

@sigstore-bot sigstore-bot marked this pull request as ready for review August 27, 2024 13:17
@jku
Copy link
Member

jku commented Aug 27, 2024

In case anyone is wondering what this means in the status:

Role root is verified and signed by 0/3 (3/3) signers

  • root has two signer counts listed because root needs to reach threshold for both root v9 and v10 signers
  • "0/3" is an artifact of the migration: only identified signers are listed and root v9 signers cannot be identified since the keys don't have the extra metadata yet
  • the actual verification ("is verified") is done using the normal TUF threshold calculation so the v9 keys have signed just fine -- tool just can't tell who signed

@sigstore-bot
Copy link
Member Author

Current signing event state

Event sign/migration (commit 51df10d)

✅ root

Role root is verified and signed by 0/3 (4/3) signers (@mnm678, @joshuagl, @bobcallaway, @dlorenc).
Still missing signatures from @SantiagoTorres
Signers can sign these changes by running tuf-on-ci-sign sign/migration

✅ targets

Role targets is verified and signed by 4/3 signers (@mnm678, @joshuagl, @bobcallaway, @dlorenc).
Still missing signatures from @SantiagoTorres
Signers can sign these changes by running tuf-on-ci-sign sign/migration

✅ registry.npmjs.org

Role registry.npmjs.org is verified and signed by 1/1 signers (azurekms://npm-tuf-delegate.vault.azure.net/keys/npm-tuf-delegate-2024-08/e2772c1d01ca400da571096889f1660e).

Signing event is successful

Threshold of signatures has been reached: this signing event can be reviewed and merged.

@sigstore-bot
Copy link
Member Author

Current signing event state

Event sign/migration (commit e0cf2f5)

✅ root

Role root is verified and signed by 0/3 (5/3) signers (@bobcallaway, @mnm678, @joshuagl, @SantiagoTorres, @dlorenc).

✅ targets

Role targets is verified and signed by 5/3 signers (@bobcallaway, @mnm678, @joshuagl, @SantiagoTorres, @dlorenc).

✅ registry.npmjs.org

Role registry.npmjs.org is verified and signed by 1/1 signers (azurekms://npm-tuf-delegate.vault.azure.net/keys/npm-tuf-delegate-2024-08/e2772c1d01ca400da571096889f1660e).

Signing event is successful

Threshold of signatures has been reached: this signing event can be reviewed and merged.

Copy link
Member

@jku jku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this looks good to me so far, thanks to keyholders: I'm marking request changes just in case since we do not want to merge too early.

reviews are welcome, but I'll remind that we intend to merge the workflow PR (#1313 ) here before merging on friday: this to not leave any chance for old and new online signing and publishing workflows to run at same time

@haydentherapper
Copy link
Contributor

Are we punting on #1268?

@jku
Copy link
Member

jku commented Aug 29, 2024

Yes, as mentioned in #1320 (comment) we decided to hold the actual artifact changes since

  • none of the proposed artifact changes had been tested in staging (before last thursday)
  • because of that there had in fact not been a single artifact change in staging
  • No issues were expected and yet some were of course found when the staging changes were done (the hash algorithm choice in tuf-on-ci is slightly different from the previous metadata, and this was an issue for sigstore-java)

Since the signing events should be less of a hassle from now on, let's rather let dust settle in staging and then do a separate signing event in production for those changes in the future.

The quick retrospective on this is:

jku added a commit to jku/sigstore-probers that referenced this pull request Aug 29, 2024
* root-signing migration to tuf-on-ci tooling means the preprod
  repository is now published to the projects GitHub Pages url
* Otherwise the functionality is the same

This change should be done
* after root-signing has switched to tuf-on-ci
  (sigstore/root-signing#1323 merge)
* before the publishing to prod is switched on
  (sigstore/root-signing#1340)
jku added a commit to jku/sigstore-probers that referenced this pull request Aug 29, 2024
* root-signing migration to tuf-on-ci tooling means the preprod
  repository is now published to the projects GitHub Pages url
* Otherwise the functionality is the same

This change should be done
* after root-signing has switched to tuf-on-ci
  (sigstore/root-signing#1323 merge)
* before the publishing to prod is switched on
  (sigstore/root-signing#1340)

Signed-off-by: Jussi Kukkonen <[email protected]>
Copy link
Member

@kommendorkapten kommendorkapten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@jku
Copy link
Member

jku commented Aug 30, 2024

I will now merge #1313 in here as planned:

  • this enables tuf-on-ci workflows and removes all legacy workflows
  • this will be a very large PR but only because it removes 1600 lines of legacy workflows
  • we're doing it this way (instead of multiple separate prs) to remove the possibility of accidentally running publishing and online signing workflows from legacy and tuf-on-ci in an unexpected order

The next steps are still listed in #1320 (comment).

Merge the branch that
* disables legacy workflows
* enables tuf-on-ci workflows (apart from final GCS prod publish)
into the migration signing event branch

This should ensure that once we merge the signing event, all the correct
workflows will run, and old ones will not.
@kommendorkapten
Copy link
Member

Looks good after merge. Waiting for timestamp/snapshot to run, after merge of latest metadata I'll review again and approve this PR if all is good.

Copy link
Member

@jku jku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks ready to me.

@jku jku merged commit 67d0366 into main Aug 30, 2024
11 checks passed
@jku jku deleted the sign/migration branch August 30, 2024 16:24
haydentherapper pushed a commit to sigstore/sigstore-probers that referenced this pull request Sep 3, 2024
* root-signing migration to tuf-on-ci tooling means the preprod
  repository is now published to the projects GitHub Pages url
* Otherwise the functionality is the same

This change should be done
* after root-signing has switched to tuf-on-ci
  (sigstore/root-signing#1323 merge)
* before the publishing to prod is switched on
  (sigstore/root-signing#1340)

Signed-off-by: Jussi Kukkonen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Initial tuf-on-ci migration signing event
9 participants