Signing event: sign/root-v12 #1439
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Simple version & expiry bump Signed-off-by: Jussi Kukkonen <[email protected]>
Current signing event stateEvent sign/root-v12 (commit 9d4602b) ❌ rootRole |
|
This signing event is now ready, keyholders please have a look.
Note that the result looks absolutely awful in git diff, apologies for that
The keys defined in root.json are listed below for reference (this is the output of the script I mentioned): On main branch: On sign/root-v12: |
Only the keyid changes (key content remains the same):
old: "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c"
new: "0c87432c3bf09fd99189fdc32fa5eaedf4e4a5fac7bab73fa04a2e0fc64af6f5"
* Unfortunately the ordering of keys is alphabetical and changing the
keyid moves the KMS slightly higher in the list
* git diff makes an absolute mess of showing the change (this is
one of the reasons I would like to not change keyids but here we are
Signed-off-by: Jussi Kukkonen <[email protected]>
Current signing event stateEvent sign/root-v12 (commit 1874668) ❌ rootRole |
This was
linked to
issues
Feb 5, 2025
This was
unlinked from
issues
Feb 5, 2025
|
Maybe easier to read? kommendorkapten@m1m14-msft:~/git/root-signing % diff -u metadata/root_history/11.root.json metadata/root.json
--- metadata/root_history/11.root.json 2025-02-05 13:43:13
+++ metadata/root.json 2025-02-05 13:43:13
@@ -2,30 +2,42 @@
"signatures": [
{
"keyid": "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3",
- "sig": "304402204e6907aba6343c7c8db2bfaccfd61af810f1dd40b773e7f42a611b9789bb752802200fbd875f4aa6ae5dafc845f39f50331bf415c78e992f4daab3ff1388a339d1db"
+ "sig": ""
},
{
"keyid": "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2",
- "sig": "3045022100b8549ad03ad6c059ecba6c75511c52ceeb5e3e733b3c9977601a6cff34d1972e0220742c67407c1f9a3f408cb2e9c1abe52cba887e44a2f4734786f54feda57104c3"
+ "sig": ""
},
{
"keyid": "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06",
- "sig": "3046022100ed5122dd6b91e3ca974841de774d99024ddcae1e9c38bb0fb3c8d75a5aa573fe022100e0945dfe5ce51ccfa205217c6ed0b7c4dd9f84c0246a3a02790efbac49bbfe53"
+ "sig": ""
},
{
"keyid": "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222",
- "sig": "30450221008edf6889c21ad4ea1863749173a0d2b8f630eb7c61c78dfb89cec1342e9c621f022064cbe2723fde47dbeaa52b2835225c160f83a019b3b729e7bbe1e2b3c9886b1c"
+ "sig": ""
},
{
"keyid": "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70",
- "sig": "30440220770e8aabdbf019b0e48a9a7a34f93b3deebd07341c936383eeade828d92c83b00220787019373a612c59ae4dc068d02bf68507da346f1c31909822897e4fd30a6a62"
+ "sig": ""
}
],
"signed": {
"_type": "root",
"consistent_snapshot": true,
- "expires": "2025-08-05T08:37:20Z",
+ "expires": "2025-08-19T14:33:09Z",
"keys": {
+ "0c87432c3bf09fd99189fdc32fa5eaedf4e4a5fac7bab73fa04a2e0fc64af6f5": {
+ "keyid_hash_algorithms": [
+ "sha256",
+ "sha512"
+ ],
+ "keytype": "ecdsa",
+ "keyval": {
+ "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWRiGr5+j+3J5SsH+Ztr5nE2H2wO7\nBV+nO3s93gLca18qTOzHY1oWyAGDykMSsGTUBSt9D+An0KfKsD2mfSM42Q==\n-----END PUBLIC KEY-----\n"
+ },
+ "scheme": "ecdsa-sha2-nistp256",
+ "x-tuf-on-ci-online-uri": "gcpkms:projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp/cryptoKeyVersions/1"
+ },
"22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06": {
"keyid_hash_algorithms": [
"sha256",
\ No newline at end of file
@@ -62,18 +74,6 @@
"scheme": "ecdsa-sha2-nistp256",
"x-tuf-on-ci-keyowner": "@dlorenc"
},
- "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c": {
- "keyid_hash_algorithms": [
- "sha256",
- "sha512"
- ],
- "keytype": "ecdsa",
- "keyval": {
- "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWRiGr5+j+3J5SsH+Ztr5nE2H2wO7\nBV+nO3s93gLca18qTOzHY1oWyAGDykMSsGTUBSt9D+An0KfKsD2mfSM42Q==\n-----END PUBLIC KEY-----\n"
- },
- "scheme": "ecdsa-sha2-nistp256",
- "x-tuf-on-ci-online-uri": "gcpkms:projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp/cryptoKeyVersions/1"
- },
"a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70": {
"keyid_hash_algorithms": [
"sha256",
\ No newline at end of file
@@ -112,7 +112,7 @@
},
"snapshot": {
"keyids": [
- "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c"
+ "0c87432c3bf09fd99189fdc32fa5eaedf4e4a5fac7bab73fa04a2e0fc64af6f5"
],
"threshold": 1,
"x-tuf-on-ci-expiry-period": 3650,
\ No newline at end of file
@@ -130,7 +130,7 @@
},
"timestamp": {
"keyids": [
- "7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c"
+ "0c87432c3bf09fd99189fdc32fa5eaedf4e4a5fac7bab73fa04a2e0fc64af6f5"
],
"threshold": 1,
"x-tuf-on-ci-expiry-period": 7,
\ No newline at end of file
@@ -138,7 +138,7 @@
}
},
"spec_version": "1.0",
- "version": 11,
+ "version": 12,
"x-tuf-on-ci-expiry-period": 197,
"x-tuf-on-ci-signing-period": 46
}
\ No newline at end of file |
|
We are now happy with this signing event (well, not happy with the diff output but otherwise): keyholders, please have a look and sign. |
Signed-off-by: Bob Callaway <[email protected]>
Signature from @bobcallaway
Current signing event stateEvent sign/root-v12 (commit b955d81) ❌ rootRole |
Signed-off-by: Joshua Lock <[email protected]>
Signature from @joshuagl
Current signing event stateEvent sign/root-v12 (commit ca9de75) ❌ rootRole |
Signed-off-by: Marina Moore <[email protected]>
Signature from @mnm678
Current signing event stateEvent sign/root-v12 (commit 37060a5) ✅ rootRole Signing event is successfulThreshold of signatures has been reached: this signing event can be reviewed and merged. |
* This test is not in root-signing-staging since the client does not support staging * Uses current main HEAD since last release does not have the "bundle" example we use * Does not test signing since the client does not support signing with the GitHub Actions workflow identity This test currently fails because of #1431: sigstore-rs expects specifically computed TUF keyids which current root metadata does not provide. Signed-off-by: Jussi Kukkonen <[email protected]>
This sigstore-rs branch contains the v12 root so allows testing when v12 is getting published Signed-off-by: Jussi Kukkonen <[email protected]>
|
Thanks for quick keyholder reactions
|
tests: Add sigstore-rs client test
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Processing signing event sign/root-v12, please wait.