stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

fix tests. new product advisories enhancements

Browse Source
This commit is contained in:
master
2026-01-25 19:11:36 +02:00
parent c70e83719e
commit 6e687b523a
504 changed files with 40610 additions and 3785 deletions
Download Patch File Download Diff File Expand all files Collapse all files

162
devops/trust-repo-template/README.md Normal file
View File

@@ -0,0 +1,162 @@
# Stella TUF Trust Repository Template
This directory contains a template for creating a TUF (The Update Framework) repository
for distributing trust anchors to StellaOps clients.
## WARNING
**The sample keys in this template are for DEMONSTRATION ONLY.**
**DO NOT USE THESE KEYS IN PRODUCTION.**
Generate new keys using the `scripts/init-tuf-repo.sh` script before deploying.
## Directory Structure
```
stella-trust/
├── root.json # Root metadata (rotates rarely, high ceremony)
├── snapshot.json # Current target versions
├── timestamp.json # Freshness indicator (rotates frequently)
├── targets.json # Target file metadata
└── targets/
├── rekor-key-v1.pub # Rekor log public key
├── fulcio-chain.pem # Fulcio certificate chain
└── sigstore-services-v1.json # Service endpoint map
```
## Quick Start
### 1. Initialize a New Repository
```bash
# Generate new signing keys (do this in a secure environment)
./scripts/init-tuf-repo.sh /path/to/new-repo
# This creates:
# - Root key (keep offline, backup securely)
# - Snapshot key
# - Timestamp key
# - Targets key
# - Initial metadata files
```
### 2. Add a Target
```bash
# Add Rekor public key as a target
./scripts/add-target.sh /path/to/rekor-key.pub rekor-key-v1
# Add service map
./scripts/add-target.sh /path/to/sigstore-services.json sigstore-services-v1
```
### 3. Publish Updates
```bash
# Update timestamp (do this regularly, e.g., daily)
./scripts/update-timestamp.sh
# The timestamp.json should be refreshed frequently to maintain client trust
```
### 4. Deploy
Host the repository contents on a web server:
- HTTPS required for production
- Set appropriate cache headers (short TTL for timestamp.json)
- Consider CDN for global distribution
## Key Management
### Key Hierarchy
```
Root Key (offline, high ceremony)
├── Snapshot Key (can be online)
├── Timestamp Key (must be online for automation)
└── Targets Key (can be online)
```
### Security Recommendations
1. **Root Key**: Store offline in HSM or air-gapped system. Only use for:
- Initial repository creation
- Root key rotation (rare)
- Emergency recovery
2. **Snapshot/Targets Keys**: Can be stored in secure KMS for automation.
3. **Timestamp Key**: Must be accessible for automated updates. Use short-lived
credentials and rotate regularly.
### Key Rotation
See `docs/operations/key-rotation-runbook.md` for detailed procedures.
Quick rotation example:
```bash
# Add new key while keeping old one active
./scripts/rotate-key.sh targets --add-key /path/to/new-key.pub
# After grace period (clients have updated), remove old key
./scripts/rotate-key.sh targets --remove-key old-key-id
```
## Client Configuration
Configure StellaOps clients to use your TUF repository:
```yaml
attestor:
trust_repo:
enabled: true
tuf_url: https://trust.yourcompany.com/tuf/
service_map_target: sigstore-services-v1
rekor_key_targets:
- rekor-key-v1
```
Or via CLI:
```bash
stella trust init \
--tuf-url https://trust.yourcompany.com/tuf/ \
--service-map sigstore-services-v1 \
--pin rekor-key-v1
```
## Metadata Expiration
Default expiration times (configurable in init script):
- `root.json`: 365 days
- `snapshot.json`: 7 days
- `timestamp.json`: 1 day
- `targets.json`: 30 days
Clients will refuse to use metadata past its expiration. Ensure automated
timestamp updates are running.
## Troubleshooting
### Client reports "metadata expired"
The timestamp.json hasn't been updated. Run:
```bash
./scripts/update-timestamp.sh
```
### Client reports "signature verification failed"
Keys may have rotated without client update. Client should run:
```bash
stella trust sync --force
```
### Client reports "unknown target"
Target hasn't been added to repository. Add it:
```bash
./scripts/add-target.sh /path/to/target target-name
```
## References
- [TUF Specification](https://theupdateframework.github.io/specification/latest/)
- [StellaOps Trust Documentation](docs/modules/attestor/tuf-integration.md)
- [Key Rotation Runbook](docs/operations/key-rotation-runbook.md)

42
devops/trust-repo-template/root.json.sample Normal file
View File

@@ -0,0 +1,42 @@
{
"signed": {
"_type": "root",
"spec_version": "1.0.0",
"version": 1,
"expires": "2027-01-25T00:00:00Z",
"keys": {
"SAMPLE_ROOT_KEY_ID_DO_NOT_USE": {
"keytype": "ed25519",
"scheme": "ed25519",
"keyval": {
"public": "SAMPLE_PUBLIC_KEY_BASE64_DO_NOT_USE"
}
}
},
"roles": {
"root": {
"keyids": ["SAMPLE_ROOT_KEY_ID_DO_NOT_USE"],
"threshold": 1
},
"snapshot": {
"keyids": ["SAMPLE_SNAPSHOT_KEY_ID"],
"threshold": 1
},
"timestamp": {
"keyids": ["SAMPLE_TIMESTAMP_KEY_ID"],
"threshold": 1
},
"targets": {
"keyids": ["SAMPLE_TARGETS_KEY_ID"],
"threshold": 1
}
},
"consistent_snapshot": true
},
"signatures": [
{
"keyid": "SAMPLE_ROOT_KEY_ID_DO_NOT_USE",
"sig": "SAMPLE_SIGNATURE_DO_NOT_USE"
}
]
}

150
devops/trust-repo-template/scripts/add-target.sh Normal file
View File

@@ -0,0 +1,150 @@
#!/bin/bash
# -----------------------------------------------------------------------------
# add-target.sh
# Sprint: SPRINT_20260125_001_Attestor_tuf_trust_foundation
# Task: TUF-006 - Create TUF repository structure template
# Description: Add a new target file to the TUF repository
# -----------------------------------------------------------------------------
set -euo pipefail
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
usage() {
echo "Usage: $0 <source-file> <target-name> [options]"
echo ""
echo "Add a target file to the TUF repository."
echo ""
echo "Options:"
echo " --repo DIR Repository directory (default: current directory)"
echo " --custom-hash HASH Override SHA256 hash (for testing only)"
echo " -h, --help Show this help message"
echo ""
echo "Example:"
echo " $0 /path/to/rekor-key.pub rekor-key-v1"
echo " $0 /path/to/services.json sigstore-services-v1 --repo /var/lib/tuf"
exit 1
}
log_info() { echo -e "${GREEN}[INFO]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
SOURCE_FILE=""
TARGET_NAME=""
REPO_DIR="."
CUSTOM_HASH=""
while [[ $# -gt 0 ]]; do
case $1 in
--repo)
REPO_DIR="$2"
shift 2
;;
--custom-hash)
CUSTOM_HASH="$2"
shift 2
;;
-h|--help)
usage
;;
*)
if [[ -z "$SOURCE_FILE" ]]; then
SOURCE_FILE="$1"
elif [[ -z "$TARGET_NAME" ]]; then
TARGET_NAME="$1"
else
log_error "Unknown argument: $1"
usage
fi
shift
;;
esac
done
if [[ -z "$SOURCE_FILE" ]] || [[ -z "$TARGET_NAME" ]]; then
log_error "Source file and target name are required"
usage
fi
if [[ ! -f "$SOURCE_FILE" ]]; then
log_error "Source file not found: $SOURCE_FILE"
exit 1
fi
if [[ ! -f "$REPO_DIR/targets.json" ]]; then
log_error "Not a TUF repository: $REPO_DIR (targets.json not found)"
exit 1
fi
# Calculate file hash and size
FILE_SIZE=$(stat -f%z "$SOURCE_FILE" 2>/dev/null || stat -c%s "$SOURCE_FILE")
if [[ -n "$CUSTOM_HASH" ]]; then
FILE_HASH="$CUSTOM_HASH"
else
FILE_HASH=$(openssl dgst -sha256 -hex "$SOURCE_FILE" | awk '{print $2}')
fi
log_info "Adding target: $TARGET_NAME"
log_info " Source: $SOURCE_FILE"
log_info " Size: $FILE_SIZE bytes"
log_info " SHA256: $FILE_HASH"
# Copy file to targets directory
TARGETS_DIR="$REPO_DIR/targets"
mkdir -p "$TARGETS_DIR"
cp "$SOURCE_FILE" "$TARGETS_DIR/$TARGET_NAME"
# Update targets.json
# This is a simplified implementation - production should use proper JSON manipulation
TARGETS_JSON="$REPO_DIR/targets.json"
# Read current version
CURRENT_VERSION=$(grep -o '"version"[[:space:]]*:[[:space:]]*[0-9]*' "$TARGETS_JSON" | head -1 | grep -o '[0-9]*')
NEW_VERSION=$((CURRENT_VERSION + 1))
# Calculate new expiry (30 days from now)
NEW_EXPIRES=$(date -u -d "+30 days" +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v+30d +%Y-%m-%dT%H:%M:%SZ)
log_info "Updating targets.json (version $CURRENT_VERSION -> $NEW_VERSION)"
# Create new targets entry
python3 - "$TARGETS_JSON" "$TARGET_NAME" "$FILE_SIZE" "$FILE_HASH" "$NEW_VERSION" "$NEW_EXPIRES" << 'PYTHON_SCRIPT'
import json
import sys
targets_file = sys.argv[1]
target_name = sys.argv[2]
file_size = int(sys.argv[3])
file_hash = sys.argv[4]
new_version = int(sys.argv[5])
new_expires = sys.argv[6]
with open(targets_file, 'r') as f:
data = json.load(f)
data['signed']['version'] = new_version
data['signed']['expires'] = new_expires
data['signed']['targets'][target_name] = {
'length': file_size,
'hashes': {
'sha256': file_hash
}
}
# Clear signatures (need to re-sign)
data['signatures'] = []
with open(targets_file, 'w') as f:
json.dump(data, f, indent=2)
print(f"Updated {targets_file}")
PYTHON_SCRIPT
log_info ""
log_info "Target added successfully!"
log_warn "IMPORTANT: targets.json signatures have been cleared."
log_warn "Run the signing script to re-sign metadata before publishing."

314
devops/trust-repo-template/scripts/init-tuf-repo.sh Normal file
View File

@@ -0,0 +1,314 @@
#!/bin/bash
# -----------------------------------------------------------------------------
# init-tuf-repo.sh
# Sprint: SPRINT_20260125_001_Attestor_tuf_trust_foundation
# Task: TUF-006 - Create TUF repository structure template
# Description: Initialize a new TUF repository with signing keys
# -----------------------------------------------------------------------------
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
TEMPLATE_DIR="$(dirname "$SCRIPT_DIR")"
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
usage() {
echo "Usage: $0 <output-directory> [options]"
echo ""
echo "Initialize a new TUF repository for StellaOps trust distribution."
echo ""
echo "Options:"
echo " --key-type TYPE Key algorithm: ed25519 (default), ecdsa-p256"
echo " --root-expiry DAYS Root metadata expiry (default: 365)"
echo " --force Overwrite existing repository"
echo " -h, --help Show this help message"
echo ""
echo "Example:"
echo " $0 /var/lib/stellaops/trust-repo --key-type ed25519"
exit 1
}
log_info() {
echo -e "${GREEN}[INFO]${NC} $1"
}
log_warn() {
echo -e "${YELLOW}[WARN]${NC} $1"
}
log_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
# Parse arguments
OUTPUT_DIR=""
KEY_TYPE="ed25519"
ROOT_EXPIRY=365
FORCE=false
while [[ $# -gt 0 ]]; do
case $1 in
--key-type)
KEY_TYPE="$2"
shift 2
;;
--root-expiry)
ROOT_EXPIRY="$2"
shift 2
;;
--force)
FORCE=true
shift
;;
-h|--help)
usage
;;
*)
if [[ -z "$OUTPUT_DIR" ]]; then
OUTPUT_DIR="$1"
else
log_error "Unknown argument: $1"
usage
fi
shift
;;
esac
done
if [[ -z "$OUTPUT_DIR" ]]; then
log_error "Output directory is required"
usage
fi
# Check if directory exists
if [[ -d "$OUTPUT_DIR" ]] && [[ "$FORCE" != "true" ]]; then
log_error "Directory already exists: $OUTPUT_DIR"
log_error "Use --force to overwrite"
exit 1
fi
# Create directory structure
log_info "Creating TUF repository at: $OUTPUT_DIR"
mkdir -p "$OUTPUT_DIR/keys" "$OUTPUT_DIR/targets"
# Generate keys
log_info "Generating signing keys (type: $KEY_TYPE)..."
generate_key() {
local name=$1
local key_file="$OUTPUT_DIR/keys/$name"
case $KEY_TYPE in
ed25519)
# Generate Ed25519 key pair
openssl genpkey -algorithm ED25519 -out "$key_file.pem" 2>/dev/null
openssl pkey -in "$key_file.pem" -pubout -out "$key_file.pub" 2>/dev/null
;;
ecdsa-p256)
# Generate ECDSA P-256 key pair
openssl ecparam -name prime256v1 -genkey -noout -out "$key_file.pem" 2>/dev/null
openssl ec -in "$key_file.pem" -pubout -out "$key_file.pub" 2>/dev/null
;;
*)
log_error "Unknown key type: $KEY_TYPE"
exit 1
;;
esac
chmod 600 "$key_file.pem"
log_info " Generated: $name"
}
generate_key "root"
generate_key "snapshot"
generate_key "timestamp"
generate_key "targets"
# Calculate expiration dates
NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)
ROOT_EXPIRES=$(date -u -d "+${ROOT_EXPIRY} days" +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v+${ROOT_EXPIRY}d +%Y-%m-%dT%H:%M:%SZ)
SNAPSHOT_EXPIRES=$(date -u -d "+7 days" +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v+7d +%Y-%m-%dT%H:%M:%SZ)
TIMESTAMP_EXPIRES=$(date -u -d "+1 day" +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v+1d +%Y-%m-%dT%H:%M:%SZ)
TARGETS_EXPIRES=$(date -u -d "+30 days" +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v+30d +%Y-%m-%dT%H:%M:%SZ)
# Get key IDs (SHA256 of public key)
get_key_id() {
local pubkey_file=$1
openssl pkey -pubin -in "$pubkey_file" -outform DER 2>/dev/null | openssl dgst -sha256 -hex | awk '{print $2}'
}
ROOT_KEY_ID=$(get_key_id "$OUTPUT_DIR/keys/root.pub")
SNAPSHOT_KEY_ID=$(get_key_id "$OUTPUT_DIR/keys/snapshot.pub")
TIMESTAMP_KEY_ID=$(get_key_id "$OUTPUT_DIR/keys/timestamp.pub")
TARGETS_KEY_ID=$(get_key_id "$OUTPUT_DIR/keys/targets.pub")
# Create root.json
log_info "Creating metadata files..."
cat > "$OUTPUT_DIR/root.json" << EOF
{
"signed": {
"_type": "root",
"spec_version": "1.0.0",
"version": 1,
"expires": "$ROOT_EXPIRES",
"keys": {
"$ROOT_KEY_ID": {
"keytype": "$KEY_TYPE",
"scheme": "$KEY_TYPE",
"keyval": {
"public": "$(base64 -w0 "$OUTPUT_DIR/keys/root.pub")"
}
},
"$SNAPSHOT_KEY_ID": {
"keytype": "$KEY_TYPE",
"scheme": "$KEY_TYPE",
"keyval": {
"public": "$(base64 -w0 "$OUTPUT_DIR/keys/snapshot.pub")"
}
},
"$TIMESTAMP_KEY_ID": {
"keytype": "$KEY_TYPE",
"scheme": "$KEY_TYPE",
"keyval": {
"public": "$(base64 -w0 "$OUTPUT_DIR/keys/timestamp.pub")"
}
},
"$TARGETS_KEY_ID": {
"keytype": "$KEY_TYPE",
"scheme": "$KEY_TYPE",
"keyval": {
"public": "$(base64 -w0 "$OUTPUT_DIR/keys/targets.pub")"
}
}
},
"roles": {
"root": {
"keyids": ["$ROOT_KEY_ID"],
"threshold": 1
},
"snapshot": {
"keyids": ["$SNAPSHOT_KEY_ID"],
"threshold": 1
},
"timestamp": {
"keyids": ["$TIMESTAMP_KEY_ID"],
"threshold": 1
},
"targets": {
"keyids": ["$TARGETS_KEY_ID"],
"threshold": 1
}
},
"consistent_snapshot": true
},
"signatures": []
}
EOF
# Create targets.json
cat > "$OUTPUT_DIR/targets.json" << EOF
{
"signed": {
"_type": "targets",
"spec_version": "1.0.0",
"version": 1,
"expires": "$TARGETS_EXPIRES",
"targets": {}
},
"signatures": []
}
EOF
# Create snapshot.json
cat > "$OUTPUT_DIR/snapshot.json" << EOF
{
"signed": {
"_type": "snapshot",
"spec_version": "1.0.0",
"version": 1,
"expires": "$SNAPSHOT_EXPIRES",
"meta": {
"targets.json": {
"version": 1
}
}
},
"signatures": []
}
EOF
# Create timestamp.json
cat > "$OUTPUT_DIR/timestamp.json" << EOF
{
"signed": {
"_type": "timestamp",
"spec_version": "1.0.0",
"version": 1,
"expires": "$TIMESTAMP_EXPIRES",
"meta": {
"snapshot.json": {
"version": 1
}
}
},
"signatures": []
}
EOF
# Create sample service map
cat > "$OUTPUT_DIR/targets/sigstore-services-v1.json" << EOF
{
"version": 1,
"rekor": {
"url": "https://rekor.sigstore.dev",
"log_id": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d",
"public_key_target": "rekor-key-v1"
},
"fulcio": {
"url": "https://fulcio.sigstore.dev",
"root_cert_target": "fulcio-chain.pem"
},
"ct_log": {
"url": "https://ctfe.sigstore.dev"
},
"overrides": {
"staging": {
"rekor_url": "https://rekor.sigstage.dev",
"fulcio_url": "https://fulcio.sigstage.dev"
}
},
"metadata": {
"updated_at": "$NOW",
"note": "Production Sigstore endpoints"
}
}
EOF
# Copy scripts
cp "$TEMPLATE_DIR/scripts/add-target.sh" "$OUTPUT_DIR/scripts/" 2>/dev/null || true
cp "$TEMPLATE_DIR/scripts/update-timestamp.sh" "$OUTPUT_DIR/scripts/" 2>/dev/null || true
mkdir -p "$OUTPUT_DIR/scripts"
log_info ""
log_info "TUF repository initialized successfully!"
log_info ""
log_info "Directory structure:"
log_info " $OUTPUT_DIR/"
log_info " ├── keys/ # Signing keys (keep root key offline!)"
log_info " ├── targets/ # Target files"
log_info " ├── root.json # Root metadata"
log_info " ├── snapshot.json # Snapshot metadata"
log_info " ├── timestamp.json # Timestamp metadata"
log_info " └── targets.json # Targets metadata"
log_info ""
log_warn "IMPORTANT: The metadata files are NOT YET SIGNED."
log_warn "Run the signing script before publishing:"
log_warn " ./scripts/sign-metadata.sh $OUTPUT_DIR"
log_info ""
log_warn "SECURITY: Move the root key to offline storage after signing!"

189
devops/trust-repo-template/scripts/revoke-target.sh Normal file
View File

@@ -0,0 +1,189 @@
#!/bin/bash
# -----------------------------------------------------------------------------
# revoke-target.sh
# Sprint: SPRINT_20260125_003_Attestor_trust_workflows_conformance
# Task: WORKFLOW-002 - Create key rotation workflow script
# Description: Remove a target from the TUF repository
# -----------------------------------------------------------------------------
set -euo pipefail
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
log_info() { echo -e "${GREEN}[INFO]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
usage() {
echo "Usage: $0 <target-name> [options]"
echo ""
echo "Remove a target from the TUF repository."
echo ""
echo "Arguments:"
echo " target-name Name of target to remove (e.g., rekor-key-v1)"
echo ""
echo "Options:"
echo " --repo DIR TUF repository directory (default: current directory)"
echo " --archive Archive target file instead of deleting"
echo " -h, --help Show this help message"
echo ""
echo "Example:"
echo " $0 rekor-key-v1 --repo /path/to/tuf --archive"
exit 1
}
TARGET_NAME=""
REPO_DIR="."
ARCHIVE=false
while [[ $# -gt 0 ]]; do
case $1 in
--repo) REPO_DIR="$2"; shift 2 ;;
--archive) ARCHIVE=true; shift ;;
-h|--help) usage ;;
-*)
log_error "Unknown option: $1"
usage
;;
*)
if [[ -z "$TARGET_NAME" ]]; then
TARGET_NAME="$1"
else
log_error "Unexpected argument: $1"
usage
fi
shift
;;
esac
done
if [[ -z "$TARGET_NAME" ]]; then
log_error "Target name is required"
usage
fi
TARGETS_DIR="$REPO_DIR/targets"
TARGETS_JSON="$REPO_DIR/targets.json"
if [[ ! -d "$TARGETS_DIR" ]]; then
log_error "Targets directory not found: $TARGETS_DIR"
exit 1
fi
if [[ ! -f "$TARGETS_JSON" ]]; then
log_error "targets.json not found: $TARGETS_JSON"
exit 1
fi
# Find the target file
TARGET_FILE=""
for ext in "" ".pub" ".json" ".pem"; do
if [[ -f "$TARGETS_DIR/${TARGET_NAME}${ext}" ]]; then
TARGET_FILE="$TARGETS_DIR/${TARGET_NAME}${ext}"
break
fi
done
if [[ -z "$TARGET_FILE" ]]; then
log_warn "Target file not found in $TARGETS_DIR"
log_info "Continuing to remove from targets.json..."
fi
echo ""
echo "================================================"
echo " TUF Target Revocation"
echo "================================================"
echo ""
log_info "Repository: $REPO_DIR"
log_info "Target: $TARGET_NAME"
if [[ -n "$TARGET_FILE" ]]; then
log_info "File: $TARGET_FILE"
fi
echo ""
log_warn "This will remove the target from the TUF repository."
log_warn "Clients will no longer be able to fetch this target after sync."
read -p "Type 'REVOKE' to proceed: " CONFIRM
if [[ "$CONFIRM" != "REVOKE" ]]; then
log_error "Aborted"
exit 1
fi
# Remove or archive the file
if [[ -n "$TARGET_FILE" ]]; then
if [[ "$ARCHIVE" == "true" ]]; then
ARCHIVE_DIR="$REPO_DIR/archived"
mkdir -p "$ARCHIVE_DIR"
TIMESTAMP=$(date -u +%Y%m%d%H%M%S)
ARCHIVE_NAME="$(basename "$TARGET_FILE")-revoked-${TIMESTAMP}"
mv "$TARGET_FILE" "$ARCHIVE_DIR/$ARCHIVE_NAME"
log_info "Archived to: $ARCHIVE_DIR/$ARCHIVE_NAME"
else
rm -f "$TARGET_FILE"
log_info "Deleted: $TARGET_FILE"
fi
fi
# Update targets.json
if command -v python3 &>/dev/null; then
python3 - "$TARGETS_JSON" "$TARGET_NAME" << 'PYTHON_SCRIPT'
import json
import sys
targets_json = sys.argv[1]
target_name = sys.argv[2]
with open(targets_json) as f:
data = json.load(f)
# Find and remove the target
targets = data.get('signed', {}).get('targets', {})
removed = False
# Try different name variations
names_to_try = [
target_name,
f"{target_name}.pub",
f"{target_name}.json",
f"{target_name}.pem"
]
for name in names_to_try:
if name in targets:
del targets[name]
removed = True
print(f"Removed from targets.json: {name}")
break
if not removed:
print(f"Warning: Target '{target_name}' not found in targets.json")
sys.exit(0)
# Update version
if 'signed' in data:
data['signed']['version'] = data['signed'].get('version', 0) + 1
with open(targets_json, 'w') as f:
json.dump(data, f, indent=2)
print(f"Updated: {targets_json}")
PYTHON_SCRIPT
else
log_warn "Python not available. Manual update of targets.json required."
log_warn "Remove the '$TARGET_NAME' entry from $TARGETS_JSON"
fi
echo ""
log_info "Target revocation prepared."
echo ""
log_warn "NEXT STEPS (REQUIRED):"
echo " 1. Re-sign targets.json with targets key"
echo " 2. Update snapshot.json and sign with snapshot key"
echo " 3. Update timestamp.json and sign with timestamp key"
echo " 4. Deploy updated metadata to TUF server"
echo ""
log_info "Clients will stop trusting '$TARGET_NAME' after their next sync."
echo ""

35
devops/trust-repo-template/targets/sigstore-services-v1.json.sample Normal file
View File

@@ -0,0 +1,35 @@
{
"version": 1,
"rekor": {
"url": "https://rekor.sigstore.dev",
"tile_base_url": "https://rekor.sigstore.dev/api/v1/log/entries/retrieve",
"log_id": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d",
"public_key_target": "rekor-key-v1"
},
"fulcio": {
"url": "https://fulcio.sigstore.dev",
"root_cert_target": "fulcio-chain.pem"
},
"ct_log": {
"url": "https://ctfe.sigstore.dev",
"public_key_target": "ctfe-key-v1"
},
"timestamp_authority": {
"url": "https://tsa.sigstore.dev",
"cert_chain_target": "tsa-chain.pem"
},
"overrides": {
"staging": {
"rekor_url": "https://rekor.sigstage.dev",
"fulcio_url": "https://fulcio.sigstage.dev"
},
"development": {
"rekor_url": "http://localhost:3000",
"fulcio_url": "http://localhost:5555"
}
},
"metadata": {
"updated_at": "2026-01-25T00:00:00Z",
"note": "Production Sigstore public good instance endpoints"
}
}