[wicketd] Accept TUF repos with RoT archives signed with different keys #4289
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…/CFPA verification
jgallagher
force-pushed
the
wicketd-tuf-repo-multiple-rot-keys
branch
from
916226c to
4302c93
Compare
jgallagher
commented
Oct 18, 2023
| # boards. While we still need to build multiple TUF repos, | ||
| # `add_hubris_artifacts` below will append RoT images to this manifest (in | ||
| # addition to the single-RoT manifest it creates). | ||
| prep_rot_all_series() { |
There was a problem hiding this comment.
@iliana You probably care most about the changes here. They feel pretty janky, but (a) it wasn't clear how to fit this into the existing add_hubris_artifacts and (b) once we don't need the separate staging/dev and prod/rel TUF repos, we can probably drop most of what makes it ugly. Happy to do any cleanup if there's a nicer way to do this for now, though!
There was a problem hiding this comment.
No more janky than the rest of the script. :) I am excited to clean this up after all known racks have updated beyond this PR!
iliana
approved these changes
Oct 18, 2023
andrewjstone
approved these changes
Oct 19, 2023
| // Read the CMPA and currently-active CFPA so we can find the | ||
| // correctly-signed artifact. | ||
| let base64_decode_rot_page = |data: String| { | ||
| // Even though we know `data` should decode to exactly |
| )), | ||
| } | ||
| })?; | ||
| match archive.verify(&cmpa, &cfpa) { |
There was a problem hiding this comment.
It's handy that this function exists! 😄
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As of this PR, wicketd will (a) accept TUF repos containing multiple RoT archives for the same board target (e.g., multiple gimlet RoT images), and when performing a mupdate, it will ask the RoT for its currently-active CMPA and CFPA pages and search for an RoT archive that matches.
After this is deployed to all fielded systems, we'll be able to drop the
-rot-staging-devand-prod-relTUF repos from CI, and only build a single TUF repo with all RoT images. This PR adds a new-rot-allTUF repo publishing step but does not remove the old ones, as we'll need them to update into this version of wicketd.