Signing event: sign/root-v11

[sigstore-bot]

Processing signing event sign/root-v11, please wait.

[sigstore-bot]

Current signing event state

Event sign/root-v11 (commit 57d0128)

❌ root

Role root is unsigned and not yet verified
Still missing signatures from @joshuagl, @mnm678, @SantiagoTorres, @dlorenc, @bobcallaway
Signers can sign these changes by running tuf-on-ci-sign sign/root-v11

[jku]

This is work-in-progress: we will notify signers when changes are all ready for signing (likely on Monday)

See #1407 for all the changes that will be included

[jku]

Fixed #1355: Extended root signing period and expiry period by 15 days so that we have following deadlines during signing events:

• 2 weeks to build the signing event and sign it: after this an issue will be filed in root-signing
• then 2 weeks to react to the root-signing issue: after this oncall will be alerted
• then 2 weeks for oncall to react: after this root has expired

The main purpose is to make sure that normal signing events

• don't get issues filed too early: working on a signing event for a week should be perfectly normal
• don't have to be hurried because of the fear that oncall gets alerted so quickly.

[sigstore-bot]

Current signing event state

Event sign/root-v11 (commit ed3305c)

❌ root

Role root is unsigned and not yet verified
Still missing signatures from @joshuagl, @SantiagoTorres, @bobcallaway, @dlorenc, @mnm678
Signers can sign these changes by running tuf-on-ci-sign sign/root-v11

[sigstore-bot]

Current signing event state

Event sign/root-v11 (commit 2a603d8)

❌ root

Role root is unsigned and not yet verified
Still missing signatures from @bobcallaway, @joshuagl, @dlorenc, @SantiagoTorres, @mnm678
Signers can sign these changes by running tuf-on-ci-sign sign/root-v11

[jku]

Fixed #1347 by correcting the key id used to identify the GCP signing key (note that this does not change the key material just how we find the correct signer on Google Cloud): the older id only worked because we added a software workaround in tuf-on-ci

[sigstore-bot]

Current signing event state

Event sign/root-v11 (commit fda7da6)

❌ root

Role root is unsigned and not yet verified
Still missing signatures from @dlorenc, @bobcallaway, @SantiagoTorres, @mnm678, @joshuagl
Signers can sign these changes by running tuf-on-ci-sign sign/root-v11

[jku]

Fixed #1339 by extending the timestamp signing period to 6 days (expiry period remains 7): What this means in practice is that timestamp now gets signed every day instead of every three days. The benefit here is that any issues with online signing are likely to have a 6 day deadline before client failures instead of 4 day deadline

[sigstore-bot]

Artifacts have been modified

Event sign/root-v11 (commit 4fb4d6d)
Committed metadata changes for role(s) targets.
Updating signing event state, please wait.

[sigstore-bot]

Current signing event state

Event sign/root-v11 (commit 2172801)

❌ root

Role root is unsigned and not yet verified
Still missing signatures from @mnm678, @SantiagoTorres, @joshuagl, @bobcallaway, @dlorenc
Signers can sign these changes by running tuf-on-ci-sign sign/root-v11

❌ targets

Role targets contains following artifact changes:

• artifact.pub: MODIFIED
• ctfe.pub: MODIFIED
• ctfe_2022.pub: MODIFIED
• fulcio.crt.pem: MODIFIED
• fulcio_intermediate_v1.crt.pem: MODIFIED
• fulcio_v1.crt.pem: MODIFIED
• rekor.pub: MODIFIED
• signing_config.json: ADDED
• trusted_root.json: MODIFIED

Role targets is unsigned and not yet verified
Still missing signatures from @mnm678, @SantiagoTorres, @joshuagl, @bobcallaway, @dlorenc
Signers can sign these changes by running tuf-on-ci-sign sign/root-v11

[kommendorkapten]

Compared against https://github.com/theupdateframework/tuf-on-ci/pull/423/files

and looks good 👍

[kommendorkapten]

Metadata changes and KMS uri changes looks good.

(I know this approval will be reverted, but for the record it can be good to see that the changes themselves were approved before signers sign.)

[jku]

Agreed, changes look good to me.

Note to signers: this is the first artifact change after the migration.

• This leads to small hash style change for all artifacts (as tuf-on-ci uses a single hash instead of both sha256 and sha512)
• In the tuf-on-ci-sign output all artifacts are listed as changing
• Please review the PR to verify the actual artifact changes -- only signing_config.json and trusted_root.json change

[kommendorkapten]

Signing event check is failing due to a bug in TUF-on-CI, I'm looking at that now. (there is an assumption that there is only one PR with a given tip commit, but when using forks, that is not the case as what just happened with the PR from Joshua). I'll revisit this so the constraint is only one open PR for a given commit.

[kommendorkapten]

Fix for the bug are in place, once merged we will rebase the signing. Note that the bug is not preventing anything, it's just making the automation fail, so we don't get the nice status comments added to this PR.

[haydentherapper]

These changes LGTM.

Did we want to rotate any signers?

[kommendorkapten]

@haydentherapper

Did we want to rotate any signers?

Not this round.

[jku]

Fix for the bug are in place, once merged we will rebase the signing. Note that the bug is not preventing anything, it's just making the automation fail, so we don't get the nice status comments added to this PR.

rebasing this PR on main now to hopefully get the status check fixed up

[sigstore-bot]

Current signing event state

Event sign/root-v11 (commit 8649795)

❌ root

Role root is not yet verified. It is signed by 1/3 (1/3) signers (@joshuagl).
Still missing signatures from @SantiagoTorres, @mnm678, @bobcallaway, @dlorenc
Signers can sign these changes by running tuf-on-ci-sign sign/root-v11

❌ targets

Role targets contains following artifact changes:

• artifact.pub: MODIFIED
• ctfe.pub: MODIFIED
• ctfe_2022.pub: MODIFIED
• fulcio.crt.pem: MODIFIED
• fulcio_intermediate_v1.crt.pem: MODIFIED
• fulcio_v1.crt.pem: MODIFIED
• rekor.pub: MODIFIED
• signing_config.json: ADDED
• trusted_root.json: MODIFIED

Role targets is not yet verified. It is signed by 1/3 signers (@joshuagl).
Still missing signatures from @SantiagoTorres, @dlorenc, @mnm678, @bobcallaway
Signers can sign these changes by running tuf-on-ci-sign sign/root-v11

[sigstore-bot]

Current signing event state

Event sign/root-v11 (commit 996d98c)

❌ root

Role root is not yet verified. It is signed by 2/3 (2/3) signers (@bobcallaway, @joshuagl).
Still missing signatures from @mnm678, @dlorenc, @SantiagoTorres
Signers can sign these changes by running tuf-on-ci-sign sign/root-v11

❌ targets

Role targets contains following artifact changes:

• artifact.pub: MODIFIED
• ctfe.pub: MODIFIED
• ctfe_2022.pub: MODIFIED
• fulcio.crt.pem: MODIFIED
• fulcio_intermediate_v1.crt.pem: MODIFIED
• fulcio_v1.crt.pem: MODIFIED
• rekor.pub: MODIFIED
• signing_config.json: ADDED
• trusted_root.json: MODIFIED

Role targets is not yet verified. It is signed by 2/3 signers (@bobcallaway, @joshuagl).
Still missing signatures from @mnm678, @dlorenc, @SantiagoTorres
Signers can sign these changes by running tuf-on-ci-sign sign/root-v11

[sigstore-bot]

Current signing event state

Event sign/root-v11 (commit 04775c6)

✅ root

Role root is verified and signed by 3/3 (3/3) signers (@bobcallaway, @mnm678, @joshuagl).
Still missing signatures from @dlorenc, @SantiagoTorres
Signers can sign these changes by running tuf-on-ci-sign sign/root-v11

✅ targets

Role targets contains following artifact changes:

• artifact.pub: MODIFIED
• ctfe.pub: MODIFIED
• ctfe_2022.pub: MODIFIED
• fulcio.crt.pem: MODIFIED
• fulcio_intermediate_v1.crt.pem: MODIFIED
• fulcio_v1.crt.pem: MODIFIED
• rekor.pub: MODIFIED
• signing_config.json: ADDED
• trusted_root.json: MODIFIED

Role targets is verified and signed by 3/3 signers (@mnm678, @bobcallaway, @joshuagl).
Still missing signatures from @dlorenc, @SantiagoTorres
Signers can sign these changes by running tuf-on-ci-sign sign/root-v11

Signing event is successful

Threshold of signatures has been reached: this signing event can be reviewed and merged.