Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge ceremony branch ceremony/2024-03-12 into main #1164

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Merge ceremony branch ceremony/2024-03-12 into main #1164

wants to merge 9 commits into from

Conversation

sigstore-bot
Copy link
Member

Merge ceremony branch to main

sigstore-bot and others added 8 commits March 12, 2024 08:05
@sigstore-bot @web-flow
Add staged repository metadata (#1153)
bbe8363 
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: GitHub <noreply@github.com>
@kommendorkapten
added signed npm delegation (#1154)
d342523 
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
@joshuagl
sign-root-targets for joshuagl (#1155)
17ea0f6 
Signed-off-by: Joshua Lock <joshuagloe@gmail.com>
@bobcallaway
sign-root-targets for bobcallaway (#1156)
f51bf9d 
Signed-off-by: Bob Callaway <bcallaway@google.com>
@SantiagoTorres
sign-root-targets for SantiagoTorres (#1161)
8307895 
Signed-off-by: Santiago Torres-Arias <santiagotorres@purdue.edu>
@dlorenc
sign-root-targets for dlorenc (#1157)
261f504 
Signed-off-by: Dan Lorenc <dlorenc@chainguard.dev>
@mnm678
sign-root-targets for mnm678 (#1160)
2eefb6b 
Signed-off-by: Marina Moore <mnm678@gmail.com>
@sigstore-bot
Update Snapshot and Timestamp (#1163)
175c5f4 
Signed-off-by: sigstore-review-bot <sigstore-review-bot@users.noreply.github.com>
This was referenced Mar 13, 2024
Closed
Closed
@kommendorkapten
Update tuf client tests (#1166)
d3738d6 
* Use latest go-tuf-client

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Use latest tuftool (Rust)

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Run javascript client tests too

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* tuftool (tough) does not yet support the new ecdsa key type.
Disabling test until it is supported

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

---------

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
@kommendorkapten
Copy link
Member

kommendorkapten commented Mar 13, 2024
edited

Cosign, local verification:

$ ./cosign initialize --root /Users/kommendorkapten/git/root-signing/repository/repository/5.root.json --mirror http://localh
ost:8081
Root status:
 {
	"local": "/Users/kommendorkapten/.sigstore/root",
	"remote": "http://localhost:8081",
	"metadata": {
		"root.json": {
			"version": 9,
			"len": 6766,
			"expiration": "12 Sep 24 06:53 UTC",
			"error": ""
		},
		"snapshot.json": {
			"version": 130,
			"len": 2304,
			"expiration": "03 Apr 24 06:41 UTC",
			"error": ""
		},
		"targets.json": {
			"version": 9,
			"len": 5478,
			"expiration": "12 Sep 24 06:13 UTC",
			"error": ""
		},
		"timestamp.json": {
			"version": 166,
			"len": 721,
			"expiration": "20 Mar 24 06:41 UTC",
			"error": ""
		}
	},
	"targets": [
		"ctfe_2022.pub",
		"fulcio.crt.pem",
		"fulcio_intermediate_v1.crt.pem",
		"fulcio_v1.crt.pem",
		"rekor.pub",
		"trusted_root.json",
		"artifact.pub",
		"ctfe.pub"
	]
}

@kommendorkapten
Copy link
Member

Javascript:

$ tuf download --metadata-base-url http://localhost:8081 --root /Users/kommendorkapten/git/root-signing/repository/repository/5.root.json --target-name registry.npmjs.org/keys.json
{
    "keys": [
        {
            "keyId": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA",
            "keyUsage": "npm:signatures",
            "publicKey": {
                "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==",
                "keyDetails": "PKIX_ECDSA_P256_SHA_256",
                "validFor": {
                    "start": "1999-01-01T00:00:00.000Z"
                }
            }
        },
        {
            "keyId": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA",
            "keyUsage": "npm:attestations",
            "publicKey": {
                "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==",
                "keyDetails": "PKIX_ECDSA_P256_SHA_256",
                "validFor": {
                    "start": "2022-12-01T00:00:00.000Z"
                }
            }
        }
    ]
}

And the server:

$ python3 -m http.server 8081
Serving HTTP on :: port 8081 (http://[::]:8081/) ...
::1 - - [13/Mar/2024 13:59:01] "GET /6.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /7.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /8.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /9.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] code 404, message File not found
::1 - - [13/Mar/2024 13:59:01] "GET /10.root.json HTTP/1.1" 404 -
::1 - - [13/Mar/2024 13:59:01] "GET /timestamp.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /130.snapshot.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /9.targets.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /3.registry.npmjs.org.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /targets/registry.npmjs.org/7a8ec9678ad824cdccaa7a6dc0961caf8f8df61bc7274189122c123446248426.keys.json HTTP/1.1" 200 -

@kommendorkapten
Copy link
Member

Current work on disk:

$ ./cosign initialize --mirror http://localhost:8081 --root /Users/kommendorkapten/git/root-signing/repository/repository/5.root.json
Root status:
 {
	"local": "/Users/kommendorkapten/.sigstore/root",
	"remote": "http://localhost:8081",
	"metadata": {
		"root.json": {
			"version": 9,
			"len": 6766,
			"expiration": "12 Sep 24 06:53 UTC",
			"error": ""
		},
		"snapshot.json": {
			"version": 130,
			"len": 2304,
			"expiration": "03 Apr 24 06:41 UTC",
			"error": ""
		},
		"targets.json": {
			"version": 9,
			"len": 5478,
			"expiration": "12 Sep 24 06:13 UTC",
			"error": ""
		},
		"timestamp.json": {
			"version": 166,
			"len": 721,
			"expiration": "20 Mar 24 06:41 UTC",
			"error": ""
		}
	},
	"targets": [
		"fulcio_v1.crt.pem",
		"rekor.pub",
		"trusted_root.json",
		"artifact.pub",
		"ctfe.pub",
		"ctfe_2022.pub",
		"fulcio.crt.pem",
		"fulcio_intermediate_v1.crt.pem"
	]
}
kommendorkapten@m1m14:~/git/cosign % ./cosign version
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    v1.13.1-32-g43bde0e2-dirty
GitCommit:     43bde0e2012243fa78363202545e5372b26a29c2
GitTreeState:  dirty
BuildDate:     2022-11-03T09:02:22Z
GoVersion:     go1.21.6
Compiler:      gc
Platform:      darwin/arm64

This was referenced Mar 13, 2024
Closed
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bobcallaway bobcallaway Awaiting requested review from bobcallaway

@haydentherapper haydentherapper Awaiting requested review from haydentherapper

@joshuagl joshuagl Awaiting requested review from joshuagl

@kommendorkapten kommendorkapten Awaiting requested review from kommendorkapten

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@sigstore-bot @kommendorkapten @joshuagl @bobcallaway @SantiagoTorres @dlorenc @mnm678