Key Ceremony!

[dlorenc]

Hey All,

This is a tracking bug for the overall sigstore public key ceremony, which we'll use to establish a TUF trust-root for all sigstore signing. The design for that kicked off here: sigstore/fulcio#12 but grew a bit bigger in scope. The latest document describing the overall strategy is here: https://docs.google.com/document/d/1dJ5JNyLcuB6Fbl7eV5Rx8xlXdgic2thMFSseq4Y-pRo/edit?resourcekey=0-amsoXrePIvR2244GSTxeOw

@asraa is driving the initial implementation, and the first 5 "key holders" will be:

• @lukehinds
• @dlorenc
• @SantiagoTorres
• @mnm678
• @bobcallaway

We're targeting a "practice run" sometime the week of the May 17th 2021, and then (hopefully) the "real event" will take place during the following week (the week of May 24th).

Stay tuned for more information and scheduling!

[dlorenc]

Update: @asraa's code is working to setup the initial TUF metadata! We're going to try it out a couple times then get it published and ready for review.

Key Holders: please make sure you have at least two sealed Yubikeys ready for the event. We've tested with the models here: https://github.com/sigstore/cosign/blob/main/TOKENS.md

A third key for practice would be great to have too. One sealed key is for the event itself and one is for a backup in case you lose the real one after. The third one can be unsealed, it's just for test runs of the ceremony.