stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
c13355923f0f663dabc6935bb3251ffb90897b12
git.stella-ops.org/docs/modules/mirror/signing-runbook.md
StellaOps Bot c13355923f
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Console CI / console-ci (push) Has been cancelled
Details
blocked 4
2025-11-23 17:53:41 +02:00

3.5 KiB
Raw Blame History

Mirror bundle signing runbook (CI)

Prerequisites

  • Ed25519 private key (PEM). Keep in CI secrets only.
  • Base64-encode the PEM: base64 -w0 mirror-ci-ed25519.pem > mirror-ci-ed25519.pem.b64.
  • Create CI secret MIRROR_SIGN_KEY_B64 with that value.

Pipeline step (Gitea example)

- name: Build/sign mirror thin bundle
  env:
    MIRROR_SIGN_KEY_B64: ${{ secrets.MIRROR_SIGN_KEY_B64 }}
    REQUIRE_PROD_SIGNING: 1
    OCI: 1
  run: |
    scripts/mirror/check_signing_prereqs.sh
    scripts/mirror/ci-sign.sh

Outputs are placed under out/mirror/thin/ and out/mirror/thin/oci/; archive these as artifacts.

How to add the secret in Gitea (one-time)

  1. Repository → Settings → Secrets.
  2. New secret: name MIRROR_SIGN_KEY_B64, value = base64-encoded Ed25519 PEM (no newlines, no header/footer).
  3. Scope: repository (or environment-specific if needed).
  4. Save. The pipeline step will skip if the secret is empty; keep it present in release branches only.

Local dry-run with test key

MIRROR_SIGN_KEY_B64=$(base64 -w0 out/mirror/thin/tuf/keys/mirror-ed25519-test-1.pem) \
OCI=1 scripts/mirror/ci-sign.sh

Temporary dev key (to unblock CI until production key is issued)

Use this throwaway Ed25519 key only for non-production runs. Replace with the real key and rotate TUF metadata immediately once Security provides the production key.

MIRROR_SIGN_KEY_B64=LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JR2pBZ0VCQkFBd0RRWUpLb1pJaHZjTkFRRUxCUUF3Z1lCakEwQmdOVkJBTVRJSEp2Y0hScGIyNHhIREFhTUE4R0ExVUVDZ3dJVkdkbFlXSnZkWEpwYm1jZ1IyOXZiR1JoYm1jd0hoY05Nakl3TlRBd05UVXpNVGMzV2hjTk1qRTFORFF3TlRVek1UYzNXakFhTVE4d0RRWURWUVFIREFKSFpuSmxaUzFwWkdWdWRDQkpiblJsYkNBeEN6QUpCZ05WQkFNTURHMWhaMkZ5WkFZRFZRUUlEQWx5YjI1MFpXNWtMV3hwYm1jZ1EwRXdIaGNOTWpBd09URTRNVEF4TmpVd1dqQllNUjh3RFFZRFZRUURFd0pIVm1WeWMybHZiaUJIYm5ScGRHVWlNQ0FHQTFVRUF3d0JiM1JoYkd4bGNpQkRiM0pwZEhrZ1EyVnlkbWxqWlhNd1doY05NakF3T1RFNE1UQXhOalV3V2pBZEJnTlZCQU1NRDhSd2IzSnNaV04wYjNKMGFXWnBZMkYwYVc5dWN6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0dQQURDQ0FRb0NnZ0dCUFEvQmtSUVE5aFl4MzM5L013SEdHSWVhc3Y2cEhPMHVKLy9VRE85bnpSZThndUFCeC8zRm0zYzdzODh5Z2NhSU05bmZGQkFPUHdFZm1ZeFFHUTZudUtXaVNZN0xobDlGWmxmR1FkdHRkQWJGZGFXdGFXNWV2OGxrUmZNcU92b2cyN0szdEptc2R3bUR4aHpuK0Y4WmpQbW1qa1MyT0lYUGRxZXVuSjJJQUdQUm12K0huWThRSjA2ZTBnSk1CZkZkRXhpVFpCbkdNK2hvbTBYZ24wbE1DTHpoSExsYTZIN0NQYkFqSWhZL3B4MEh2UGtaeVc2cGl0OG9acWJ5dEJBMlVwS0RGeU5OVnRvVnFZQVg0NCtaVE5EclUxWlVLajZ1ZWhtZ0p5bThZMjl2WVZyL0JUWUpBaFZNY0I4alZXSTZVUXdPQ0F3RUFBYU1tTUNRd0N3WURWUjBUQVFIL0JBVXdBd0VCL3pBTkJna3Foa2lHOXcwQkNRRVdKREFkQmdOVkhRNEVGZ1FVdUxLRjZCcXlHWmltNVBBU2ZaZXBVVEdPaEhHa3dDZ1lJS29aSXpqMEVBd0lEU0FBd1JRSWhBTCt2bmxOZkI0czYvRDdNZ3ZKblFyZlNPeDBWb1NQWUMxcU9PdHd0aXdEb3ZkRnhHSnZLY0R3WXIvQUhTMmJzRnFJMjduRzhPRERmQm4rS1ZxL1BQT3ZMTVpkTTROblVVallNWlBLMXZWQndXVGpKeXpKV3lXUmF2dnJTd2tNQmtTRmdLWW5uU1huOGFPVnhHazRyYzlzSkpEUT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=

Do not ship with this key. Set REQUIRE_PROD_SIGNING=1 for release/tag builds so they fail without the real key.

Verification

The CI step already runs scripts/mirror/verify_thin_bundle.py. For OCI, ensure out/mirror/thin/oci/index.json references the manifest digest.

Fallback (if secret absent)

  • CI can fall back to an embedded test Ed25519 key when MIRROR_SIGN_KEY_B64 is unset only when REQUIRE_PROD_SIGNING is not set. This is for dev smoke runs; release/tag jobs must set REQUIRE_PROD_SIGNING=1 to forbid fallback.
  • For release branches, always set REQUIRE_PROD_SIGNING=1 and provide MIRROR_SIGN_KEY_B64; otherwise the step will fail early.