-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Delegation documentation #728
Delegation documentation #728
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't been paying enough attention here of late and this looks so cool, I hope this review is useful!
After the delegation metadata is added and signed, the delegation | ||
keyholder should open a PR against the ceremony branch. | ||
The name of the PR MUST be `feat/add-delegation for | ||
<delegation-name>`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we provide a snippet here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For an example PR, i.e the updated targets.json
and an example role metadata file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A lot of the PR generation in this repo is automated, I'm wondering if we can do the same here? Maybe an enhancement in a future PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I have tooling for this, that manages all the work but currently it's not OSS. I would like to make so pretty soon.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll file a follow-up issue with references to these comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
As part of running the `add-delegaton` command, a POP (proof of | ||
possession) has to be generated too. The computed POP should be stored | ||
in `${REPO}/staged/${FORK_POINT}.sig`, where the fork point is the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
when you say "should be stored in" does that mean the person following these instructions has to do something? if this is done automatically by one of the commands below, we might say "will be stored in ..."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently there is no automation done for this, but it's shown in the stanza below:
$ FORK_POINT=$(git merge-base --fork-point origin/main "${BRANCH}") \
./tuf key-pop-sign \
-key ${KEY_REF} \
-challenge ${DELEGATION_NAME} \
-nonce ${FORK_POINT} > ${REPO}/staged/${FORK_POINT}.sig
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or there is, but none that's open source. Yet.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently there is no automation done for this, but it's shown in the stanza below:
This is probably sufficient for now, thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The example in the documentation should show all steps required to create a delegation, and then the delegate owner could open a PR with the change-set to have it merged. So there should be no uncertainties, if so let me know and I will update the doc 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Co-authored-by: asraa <asraa@google.com> Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Co-authored-by: asraa <asraa@google.com> Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Co-authored-by: asraa <asraa@google.com> Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Co-authored-by: Joshua Lock <joshuagloe@gmail.com> Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Co-authored-by: Joshua Lock <joshuagloe@gmail.com> Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Co-authored-by: Joshua Lock <joshuagloe@gmail.com> Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
aa926ed
to
292db86
Compare
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Co-authored-by: asraa <asraa@google.com> Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
After the delegation metadata is added and signed, the delegation | ||
keyholder should open a PR against the ceremony branch. | ||
The name of the PR MUST be `feat/add-delegation for | ||
<delegation-name>`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
As part of running the `add-delegaton` command, a POP (proof of | ||
possession) has to be generated too. The computed POP should be stored | ||
in `${REPO}/staged/${FORK_POINT}.sig`, where the fork point is the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Co-authored-by: asraa <asraa@google.com> Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Summary
Closes #703
Adds documentation on how to add a delegation during a signing ceremony.
Rendered version
Release Note
N/A
Documentation
This PR is the updated documentation