root-signing icon indicating copy to clipboard operation
root-signing copied to clipboard
verified publisher icon sigstore

Merge ceremony branch ceremony/2024-03-12 into main

Open sigstore-bot opened this issue 1 year ago • 3 comments

Merge ceremony branch to main

sigstore-bot avatar Mar 13 '24 08:03 sigstore-bot

Cosign, local verification:

$ ./cosign initialize --root /Users/kommendorkapten/git/root-signing/repository/repository/5.root.json --mirror http://localh
ost:8081
Root status:
 {
	"local": "/Users/kommendorkapten/.sigstore/root",
	"remote": "http://localhost:8081",
	"metadata": {
		"root.json": {
			"version": 9,
			"len": 6766,
			"expiration": "12 Sep 24 06:53 UTC",
			"error": ""
		},
		"snapshot.json": {
			"version": 130,
			"len": 2304,
			"expiration": "03 Apr 24 06:41 UTC",
			"error": ""
		},
		"targets.json": {
			"version": 9,
			"len": 5478,
			"expiration": "12 Sep 24 06:13 UTC",
			"error": ""
		},
		"timestamp.json": {
			"version": 166,
			"len": 721,
			"expiration": "20 Mar 24 06:41 UTC",
			"error": ""
		}
	},
	"targets": [
		"ctfe_2022.pub",
		"fulcio.crt.pem",
		"fulcio_intermediate_v1.crt.pem",
		"fulcio_v1.crt.pem",
		"rekor.pub",
		"trusted_root.json",
		"artifact.pub",
		"ctfe.pub"
	]
}

kommendorkapten avatar Mar 13 '24 12:03 kommendorkapten

Javascript:

$ tuf download --metadata-base-url http://localhost:8081 --root /Users/kommendorkapten/git/root-signing/repository/repository/5.root.json --target-name registry.npmjs.org/keys.json
{
    "keys": [
        {
            "keyId": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA",
            "keyUsage": "npm:signatures",
            "publicKey": {
                "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==",
                "keyDetails": "PKIX_ECDSA_P256_SHA_256",
                "validFor": {
                    "start": "1999-01-01T00:00:00.000Z"
                }
            }
        },
        {
            "keyId": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA",
            "keyUsage": "npm:attestations",
            "publicKey": {
                "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==",
                "keyDetails": "PKIX_ECDSA_P256_SHA_256",
                "validFor": {
                    "start": "2022-12-01T00:00:00.000Z"
                }
            }
        }
    ]
}

And the server:

$ python3 -m http.server 8081
Serving HTTP on :: port 8081 (http://[::]:8081/) ...
::1 - - [13/Mar/2024 13:59:01] "GET /6.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /7.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /8.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /9.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] code 404, message File not found
::1 - - [13/Mar/2024 13:59:01] "GET /10.root.json HTTP/1.1" 404 -
::1 - - [13/Mar/2024 13:59:01] "GET /timestamp.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /130.snapshot.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /9.targets.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /3.registry.npmjs.org.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /targets/registry.npmjs.org/7a8ec9678ad824cdccaa7a6dc0961caf8f8df61bc7274189122c123446248426.keys.json HTTP/1.1" 200 -

kommendorkapten avatar Mar 13 '24 12:03 kommendorkapten

Current work on disk:

$ ./cosign initialize --mirror http://localhost:8081 --root /Users/kommendorkapten/git/root-signing/repository/repository/5.root.json
Root status:
 {
	"local": "/Users/kommendorkapten/.sigstore/root",
	"remote": "http://localhost:8081",
	"metadata": {
		"root.json": {
			"version": 9,
			"len": 6766,
			"expiration": "12 Sep 24 06:53 UTC",
			"error": ""
		},
		"snapshot.json": {
			"version": 130,
			"len": 2304,
			"expiration": "03 Apr 24 06:41 UTC",
			"error": ""
		},
		"targets.json": {
			"version": 9,
			"len": 5478,
			"expiration": "12 Sep 24 06:13 UTC",
			"error": ""
		},
		"timestamp.json": {
			"version": 166,
			"len": 721,
			"expiration": "20 Mar 24 06:41 UTC",
			"error": ""
		}
	},
	"targets": [
		"fulcio_v1.crt.pem",
		"rekor.pub",
		"trusted_root.json",
		"artifact.pub",
		"ctfe.pub",
		"ctfe_2022.pub",
		"fulcio.crt.pem",
		"fulcio_intermediate_v1.crt.pem"
	]
}
kommendorkapten@m1m14:~/git/cosign % ./cosign version
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    v1.13.1-32-g43bde0e2-dirty
GitCommit:     43bde0e2012243fa78363202545e5372b26a29c2
GitTreeState:  dirty
BuildDate:     2022-11-03T09:02:22Z
GoVersion:     go1.21.6
Compiler:      gc
Platform:      darwin/arm64

kommendorkapten avatar Mar 13 '24 14:03 kommendorkapten

Closing as outdated

Hayden-IO avatar Jul 12 '24 16:07 Hayden-IO