fleet
fleet copied to clipboard
fleetdm
Create scheduled GitHub action to rotate the timestamp key
Goal
| User story |
|---|
| As a Fleet contributor responisble for TUF, |
| I want to know that the Timestamp key will be automatically rotated before expiration |
| so that I can take time off without worrying about TUF coverage. |
Objective
Currently, we have an action that will notify us when the timestamp key is close to expiring, but the rotation process is still manual. We need to schedule this to be automated via GitHub actions because it required frequent rotations, and if an expiration was reached when everyone with TUF keys is offline, it could result in an outage.
Tasks
- Update Timestamp expiration check to trigger an update process when it detect that the expiration is close.
- The update process uses a timestamp key (which can be kept online in GitHub secrets) to automatically rotate the key and push the update to our TUF server.
Video of the last manual update of the timestamp: https://www.loom.com/share/a195e866b72c496f80c3ff8f00bdbac5
Currently the timestamp signature update is performed the following way:
AWS_PROFILE=tuf \
TUF_DIRECTORY=/Users/luk/tuf.fleetctl.com \
ACTION=update-timestamp \
KEYS_SOURCE_DIRECTORY=/Volumes/FLEET-TUF/keys \
TIMESTAMP_PASSPHRASE_1PASSWORD_PATH="Private/TUF TIMESTAMP/password" \
PUSH_TO_REMOTE=1 \
./tools/tuf/releaser.sh
This can be automated by:
- removing the ("yes") prompts from the script
- allowing the timestamp passphrase to be stored in an environment variable (and not use 1Password), or alternatively not encrypt the timestamp key.
- check if we need to sync the whole repository or just the timestamp.json file that we will update (my guess is that we only need to sync the timestamp.json)
Key rotation swift, Peace of mind for contributors, Fleet sails on, carefree.
Successful run of Github action that updated Fleet's TUF timestamp.json in https://tuf.fleetctl.com: https://github.com/fleetdm/fleet/actions/runs/12141253115
The action is configured to run every Tuesday.