Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

repo: Add workaround for sigstore KMS keyid #423

Merged
merged 1 commit into from
Sep 2, 2024
Merged

repo: Add workaround for sigstore KMS keyid #423

merged 1 commit into from
Sep 2, 2024

Conversation

jku
Copy link
Member

@jku jku commented Aug 31, 2024

The sigstore root-signing online key keyid was entered incorrectly: Add a workaround here so there is more time to fix the actual keyid.

Fixes #422

DRAFT while I am not sure of the actual key version

@jku
Copy link
Member Author

jku commented Sep 2, 2024

I don't have the GCP permissions to test this but Bob confirmed the current version is 1.

@jku jku marked this pull request as ready for review September 2, 2024 06:32
@jku jku marked this pull request as draft September 2, 2024 06:33
@jku
repo: Add workaround for sigstore KMS keyid
1d90720 
The sigstore root-signing online key keyid was entered incorrectly:
Add a workaround here so there is more time to fix the actual keyid.

Fixes theupdateframework#422
@jku jku force-pushed the workaround-sigstore-kms-keyid branch from d7c03ca to 1d90720 Compare September 2, 2024 06:38
@jku
Copy link
Member Author

jku commented Sep 2, 2024

There were actually two issues with the key, both appeared because I just copied the similar looking but not same format from legacy root-signing:

  • should start with just "gcpkms:" not "gcpkms://"
  • must contain version number in the end

This is the incorrect legacy format:
gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp
this is the fixed format:
gcpkms:projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp/cryptoKeyVersions/1
here is another key that works on tuf-on-ci for comparison:
gcpkms:projects/python-tuf-kms/locations/global/keyRings/tuf-demo/cryptoKeys/snapshot/cryptoKeyVersions/1

@jku jku marked this pull request as ready for review September 2, 2024 06:43
kommendorkapten
kommendorkapten reviewed Sep 2, 2024
View reviewed changes
repo/tuf_on_ci/_repository.py
@@ -228,6 +228,15 @@ def close(self, rolename: str, md: Metadata) -> None:
for key in self._get_keys(rolename):
if rolename in ["timestamp", "snapshot"]:
uri = key.unrecognized_fields[TAG_ONLINE_URI]

# FIXME: workaround for issue #422, only needed while sigstore
# root-signing online key keyid is incorrect
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of this hard coded rewrite, how about a version that detects invalid format (wrong scheme and missing version) and use that before instantiating the key via Signer.priv_key_from_uri?

@jku jku merged commit 1d84d25 into theupdateframework:main Sep 2, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kommendorkapten kommendorkapten kommendorkapten approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

investigate workaround for root-signing issue
2 participants
@jku @kommendorkapten