root-signing icon indicating copy to clipboard operation
root-signing copied to clipboard
verified publisher icon sigstore

Test: Create a "dry-run" root signing event to test compatibility

Open asraa opened this issue 3 years ago • 8 comments

Description

It is currently difficult to asses client compatibility when we update workflow operations before we complete signing or using manual review.

In order to do this, we would need to substitute our signers for test ones that we can automate signing and workflow operations for. I propose something like the following:

In order to automate complete steps, we'd need access to the GCP & HSM signers: the way I see it, one thing we CAN do is use some test-signers and run a whole ceremony like this:

  1. Copy latest metadata payloads, replace with test signers & sign for a fake "previous" state.
  2. Run our workflow commands to create a new root and sign with the test signers.
  3. Validate with clients.

We can catch serialization issues, version issues, etc.

Essentially this is like creating a parallel TUF repository in a space with just test signers on the fly. We can however, persist the parallel repository, that way we can use it for staging, maybe?

asraa avatar Sep 28 '22 16:09 asraa

This can be done in a staging branch!

asraa avatar Feb 15 '23 17:02 asraa

If we use a staging branch, we get to test our workflows for free.

Work needs to be done to (1) ensure that the keys are substituted for test HSM on the branch and (2) all other metadata is synced

asraa avatar Feb 15 '23 17:02 asraa

In the short term:

  • Set up a key and use the script to add a delegation file

In the long term:

  • Try to set up the staging branch.
  • The staging branch will need to sync to main

asraa avatar Mar 09 '23 17:03 asraa

@kommendorkapten if there's already an existing target staged for the npm signing key, could you reference it here? we can then add it to staging. if not, no worries

asraa avatar Mar 09 '23 17:03 asraa

cc @haydentherapper

asraa avatar Mar 09 '23 17:03 asraa

It is not, I'll try to get one done for the next week 🤞

kommendorkapten avatar Mar 10 '23 12:03 kommendorkapten

This is essentially the staging folder now. The remaining items here are the automated workflows - since all the keys are in the repository, we only need one workflow to run the new root/targets, snapshot, and timestamp.

asraa avatar Apr 04 '23 14:04 asraa

I'll be adding some documentation soon to describe the manual process, then we'll convert that into an automated one. We also need a GHA for pushing the repo to the GCS bucket.

haydentherapper avatar Apr 04 '23 17:04 haydentherapper

This will be handled by tuf-on-ci now, and signing events can be done off branches.

haydentherapper avatar Sep 04 '24 15:09 haydentherapper