Delegation documentation #728
Conversation
| After the delegation metadata is added and signed, the delegation | ||
| keyholder should open a PR against the ceremony branch. | ||
| The name of the PR MUST be `feat/add-delegation for | ||
| <delegation-name>`. |
There was a problem hiding this comment.
Can we provide a snippet here?
There was a problem hiding this comment.
For an example PR, i.e the updated targets.json and an example role metadata file?
There was a problem hiding this comment.
A lot of the PR generation in this repo is automated, I'm wondering if we can do the same here? Maybe an enhancement in a future PR?
There was a problem hiding this comment.
Yes, I have tooling for this, that manages all the work but currently it's not OSS. I would like to make so pretty soon.
There was a problem hiding this comment.
I'll file a follow-up issue with references to these comments.
|
|
||
| As part of running the `add-delegaton` command, a POP (proof of | ||
| possession) has to be generated too. The computed POP should be stored | ||
| in `${REPO}/staged/${FORK_POINT}.sig`, where the fork point is the |
There was a problem hiding this comment.
when you say "should be stored in" does that mean the person following these instructions has to do something? if this is done automatically by one of the commands below, we might say "will be stored in ..."
There was a problem hiding this comment.
Currently there is no automation done for this, but it's shown in the stanza below:
$ FORK_POINT=$(git merge-base --fork-point origin/main "${BRANCH}") \
./tuf key-pop-sign \
-key ${KEY_REF} \
-challenge ${DELEGATION_NAME} \
-nonce ${FORK_POINT} > ${REPO}/staged/${FORK_POINT}.sig
There was a problem hiding this comment.
Or there is, but none that's open source. Yet.
There was a problem hiding this comment.
Currently there is no automation done for this, but it's shown in the stanza below:
This is probably sufficient for now, thanks.
There was a problem hiding this comment.
The example in the documentation should show all steps required to create a delegation, and then the delegate owner could open a PR with the change-set to have it merged. So there should be no uncertainties, if so let me know and I will update the doc 😄
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Co-authored-by: asraa <asraa@google.com> Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Co-authored-by: asraa <asraa@google.com> Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Co-authored-by: asraa <asraa@google.com> Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Co-authored-by: Joshua Lock <joshuagloe@gmail.com> Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Co-authored-by: Joshua Lock <joshuagloe@gmail.com> Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Co-authored-by: Joshua Lock <joshuagloe@gmail.com> Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
kommendorkapten
force-pushed
the
delegation_documentaton
branch
from
aa926ed
to
292db86
Compare
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Co-authored-by: asraa <asraa@google.com> Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
| After the delegation metadata is added and signed, the delegation | ||
| keyholder should open a PR against the ceremony branch. | ||
| The name of the PR MUST be `feat/add-delegation for | ||
| <delegation-name>`. |
|
|
||
| As part of running the `add-delegaton` command, a POP (proof of | ||
| possession) has to be generated too. The computed POP should be stored | ||
| in `${REPO}/staged/${FORK_POINT}.sig`, where the fork point is the |
Co-authored-by: asraa <asraa@google.com> Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Summary
Closes #703
Adds documentation on how to add a delegation during a signing ceremony.
Rendered version
Release Note
N/A
Documentation
This PR is the updated documentation