stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
fc99092decfc4a83803ef7a4e903f12f7b7414a5
git.stella-ops.org/docs/modules/mirror/signing-runbook.md
StellaOps Bot fc99092dec blocked 4
2025-11-23 17:18:33 +02:00

1.6 KiB
Raw Blame History

Mirror bundle signing runbook (CI)

Prerequisites

  • Ed25519 private key (PEM). Keep in CI secrets only.
  • Base64-encode the PEM: base64 -w0 mirror-ci-ed25519.pem > mirror-ci-ed25519.pem.b64.
  • Create CI secret MIRROR_SIGN_KEY_B64 with that value.

Pipeline step (Gitea example)

- name: Build/sign mirror thin bundle
  env:
    MIRROR_SIGN_KEY_B64: ${{ secrets.MIRROR_SIGN_KEY_B64 }}
    OCI: 1
  run: |
    scripts/mirror/check_signing_prereqs.sh
    scripts/mirror/ci-sign.sh

Outputs are placed under out/mirror/thin/ and out/mirror/thin/oci/; archive these as artifacts.

How to add the secret in Gitea (one-time)

  1. Repository → Settings → Secrets.
  2. New secret: name MIRROR_SIGN_KEY_B64, value = base64-encoded Ed25519 PEM (no newlines, no header/footer).
  3. Scope: repository (or environment-specific if needed).
  4. Save. The pipeline step will skip if the secret is empty; keep it present in release branches only.

Local dry-run with test key

MIRROR_SIGN_KEY_B64=$(base64 -w0 out/mirror/thin/tuf/keys/mirror-ed25519-test-1.pem) \
OCI=1 scripts/mirror/ci-sign.sh

Verification

The CI step already runs scripts/mirror/verify_thin_bundle.py. For OCI, ensure out/mirror/thin/oci/index.json references the manifest digest.

Fallback (if secret absent)

  • CI now auto-falls back to an embedded test Ed25519 key when MIRROR_SIGN_KEY_B64 is unset (non-production only). This unblocks CI builds but must not be used for release artefacts.
  • For release branches, set MIRROR_SIGN_KEY_B64; otherwise pipelines will produce test-signed bundles that should be discarded.