When a TUF-on-CI repository is initialized, an online signing method is chosen. This
choice can be changed later. The chosen method will be used by the repository to sign
timestamp
and snapshot
roles automatically.
Currently supported signing methods include
- Sigstore (experimental)
- Google Cloud KMS
- Azure Key Vault
- AWS KMS
Using sigstore as the online signing method requires no configuration but is currently experimental (and not supported by all TUF client libraries)
- Make sure Google Cloud Workload Identity Federation allows your GitHub repositorys OIDC identity to sign with a KMS key.
- Define your authentication details as repository variables in Settings->Secrets and variables->Actions->Variables:
GCP_WORKLOAD_IDENTITY_PROVIDER: projects/843741030650/locations/global/workloadIdentityPools/git-repo-demo/providers/git-repo-demo GCP_SERVICE_ACCOUNT: [email protected]
- (only needed for initial configuration) Prepare your local environment for accessing the cloud KMS:
Use gcloud and authenticate in the
environment where you plan to run
tuf-on-ci-delegate
tool (you will need roles/cloudkms.publicKeyViewer permission on KMS)
- Make sure Azure allows this repository OIDC identity to sign with a Key Vault key.
- Define
AZURE_CLIENT_ID
,AZURE_TENANT_ID
andAZURE_SUBSCRIPTION_ID
as repository secrets in Settings->Secrets and variables->Actions->Secrets - Modify the online-sign workflow like this:
jobs: online-sign: runs-on: ubuntu-latest permissions: id-token: 'write' # for OIDC identity access contents: 'write' # for committing snapshot/timestamp changes actions: 'write' # for dispatching publish workflow steps: ... - name: Login to Azure uses: azure/login@v1 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} ... - id: online-sign uses: theupdateframework/tuf-on-ci/actions/online-sign@main
- (only needed for initial configuration) Prepare your local environment: Use az login and authenticate against the environment where the key vault exists. You will need to the role "Key Vault Crypto User").
- Make sure AWS IAM permissions allow your GitHub repositorys OIDC identity to sign with a KMS key.
- Define your authentication details as repository variables in Settings->Secrets and variables->Actions->Variables:
AWS_ROLE_TO_ASSUME: arn:aws:iam::175142243308:role/tuf-testing-online-key AWS_REGION: us-east-1
- (only needed for initial configuration) Prepare your local environment for accessing the cloud KMS:
Use the AWS CLI and authenticate in the
environment where you plan to run
tuf-on-ci-delegate
tool (you will need permission to use the KMS key).