root-signing icon indicating copy to clipboard operation
root-signing copied to clipboard
verified publisher icon sigstore

Improve Verification on signing PRs: Detect correct repository and filtering output

Open asraa opened this issue 3 years ago • 1 comments

cc @kommendorkapten

Description

Currently, verifiers run something like:

REPO=ceremony/YYYY-MM-DD ./scripts/verify.sh

This script runs an entire suite of verification commands that can apply to any type of PR run or repository (incomplete, complete). https://github.com/sigstore/root-signing/blob/4c151b38b843f47b4bc5db4ad9a6f672d6fc7791/scripts/verify.sh#L55-L66

Instead, there are really only a few types of events verifiers need to look for:

  • Verification of committed HSM key data only (used for initializing new metadata, no signatures present). This is the key command https://github.com/sigstore/root-signing/blob/4c151b38b843f47b4bc5db4ad9a6f672d6fc7791/cmd/verify/app/keys.go#L182
  • Verification of some present signatures (for any signing events). This is "verifying staged metadata" in here.
  • Verification of a full entire-ty of metadata. This is the verify metadata without the staged sub-command.

Idea:

  • Separate verification commands ./scripts/verify-signing.sh or ./scripts/verify-snapshot-timestamp.sh or ./scripts/verify-metadata.sh, ./scripts/verify-keys.sh, or give a select prompt if we want to maintain the single ./scripts/verify.sh` entrypoint. Document what users are expected to do in the different PR scenarios.
  • Separate the VerifyCmd to VerifyStagedCmd and VerifyRepositoryCmd to make it clear/subcommands.

Version

asraa avatar Oct 20 '22 12:10 asraa

@kommendorkapten also brings the point of when verifying newly initialized metadata and we don't expect any sigs, we are also looking to identify other properties than keys: is the data well-formed? what are the expiries? This isn't handled by any of the commands right now.

Also: that probably makes sense under verifyStagedMetadata. Verifying signatures probably should be called verifySignatures at a top-level

asraa avatar Oct 20 '22 13:10 asraa

In tuf-on-ci:

  • the signing-event workflow does analysis on individual metadata -- are they valid, correctly signed, etc
  • online-signing verifies that the online roles are valid
  • signing tool also does some validation on the bits of metadata that is going to be signed
  • full repository tests happen after merging and preprod publish: this is too late for singing event PR validation but it is also the first point where the full repository can be validated -- and potentially reverted

The signing event validation can certainly be improved, but I think it makes sense to mostly do that in the signing event workflow.

I am going to close this, please file an issue if there is a specific improvement idea

jku avatar Sep 05 '24 14:09 jku