38 lines
1.4 KiB
Markdown
38 lines
1.4 KiB
Markdown
# Mirror bundle signing runbook (CI)
|
|
|
|
## Prerequisites
|
|
- Ed25519 private key (PEM). Keep in CI secrets only.
|
|
- Base64-encode the PEM: `base64 -w0 mirror-ci-ed25519.pem > mirror-ci-ed25519.pem.b64`.
|
|
- Create CI secret `MIRROR_SIGN_KEY_B64` with that value.
|
|
|
|
## Pipeline step (Gitea example)
|
|
```
|
|
- name: Build/sign mirror thin bundle
|
|
env:
|
|
MIRROR_SIGN_KEY_B64: ${{ secrets.MIRROR_SIGN_KEY_B64 }}
|
|
OCI: 1
|
|
run: |
|
|
scripts/mirror/check_signing_prereqs.sh
|
|
scripts/mirror/ci-sign.sh
|
|
```
|
|
Outputs are placed under `out/mirror/thin/` and `out/mirror/thin/oci/`; archive these as artifacts.
|
|
|
|
### How to add the secret in Gitea (one-time)
|
|
1. Repository → Settings → Secrets.
|
|
2. New secret: name `MIRROR_SIGN_KEY_B64`, value = base64-encoded Ed25519 PEM (no newlines, no header/footer).
|
|
3. Scope: repository (or environment-specific if needed).
|
|
4. Save. The pipeline step will skip if the secret is empty; keep it present in release branches only.
|
|
|
|
## Local dry-run with test key
|
|
```
|
|
MIRROR_SIGN_KEY_B64=$(base64 -w0 out/mirror/thin/tuf/keys/mirror-ed25519-test-1.pem) \
|
|
OCI=1 scripts/mirror/ci-sign.sh
|
|
```
|
|
|
|
## Verification
|
|
The CI step already runs `scripts/mirror/verify_thin_bundle.py`. For OCI, ensure `out/mirror/thin/oci/index.json` references the manifest digest.
|
|
|
|
## Fallback (if secret absent)
|
|
- Keep MIRROR-CRT-56-002 BLOCKED and do not publish unsigned bundles.
|
|
- Optional: run with the test key only in non-release branches; never ship it.
|