Skip to content

Latest commit

 

History

History
78 lines (65 loc) · 3.26 KB

ONLINE-SIGNING-SETUP.md

File metadata and controls

78 lines (65 loc) · 3.26 KB

Online Signing in TUF-on-CI

When a TUF-on-CI repository is initialized, an online signing method is chosen. This choice can be changed later. The chosen method will be used by the repository to sign timestamp and snapshot roles automatically.

Currently supported signing methods include

  • Sigstore (experimental)
  • Google Cloud KMS
  • Azure Key Vault
  • AWS KMS

Configuration

Sigstore

Using sigstore as the online signing method requires no configuration but is currently experimental (and not supported by all TUF client libraries)

Google Cloud KMS

  1. Make sure Google Cloud Workload Identity Federation allows your GitHub repositorys OIDC identity to sign with a KMS key.
  2. Define your authentication details as repository variables in Settings->Secrets and variables->Actions->Variables:
    GCP_WORKLOAD_IDENTITY_PROVIDER: projects/843741030650/locations/global/workloadIdentityPools/git-repo-demo/providers/git-repo-demo
    GCP_SERVICE_ACCOUNT: [email protected]
    
  3. (only needed for initial configuration) Prepare your local environment for accessing the cloud KMS: Use gcloud and authenticate in the environment where you plan to run tuf-on-ci-delegate tool (you will need roles/cloudkms.publicKeyViewer permission on KMS)

Azure Key Vault

  1. Make sure Azure allows this repository OIDC identity to sign with a Key Vault key.
  2. Define AZURE_CLIENT_ID, AZURE_TENANT_ID and AZURE_SUBSCRIPTION_ID as repository secrets in Settings->Secrets and variables->Actions->Secrets
  3. Modify the online-sign workflow like this:
    jobs:
        online-sign:
        runs-on: ubuntu-latest
    
        permissions:
            id-token: 'write' # for OIDC identity access
            contents: 'write' # for committing snapshot/timestamp changes
            actions: 'write' # for dispatching publish workflow
    
        steps:
        ...
            - name: Login to Azure
              uses: azure/login@v1
              with:
                client-id: ${{ secrets.AZURE_CLIENT_ID }}
                tenant-id: ${{ secrets.AZURE_TENANT_ID }}
                subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
        ...
            - id: online-sign
              uses: theupdateframework/tuf-on-ci/actions/online-sign@main
  4. (only needed for initial configuration) Prepare your local environment: Use az login and authenticate against the environment where the key vault exists. You will need to the role "Key Vault Crypto User").

AWS KMS

  1. Make sure AWS IAM permissions allow your GitHub repositorys OIDC identity to sign with a KMS key.
  2. Define your authentication details as repository variables in Settings->Secrets and variables->Actions->Variables:
    AWS_ROLE_TO_ASSUME: arn:aws:iam::175142243308:role/tuf-testing-online-key
    AWS_REGION: us-east-1
    
  3. (only needed for initial configuration) Prepare your local environment for accessing the cloud KMS: Use the AWS CLI and authenticate in the environment where you plan to run tuf-on-ci-delegate tool (you will need permission to use the KMS key).