Skip to content

Instantly share code, notes, and snippets.

View jku's full-sized avatar

Jussi Kukkonen jku

57 followers · 0 following
View GitHub Profile
@jku
jku / index.md
Last active May 6, 2024 12:27

Signers

Role required # of signatures Signers
root 2 @jku, @kommendorkapten, @joshuagl, @mnm678
timestamp 1 online key
snapshot 1 online key
targets 1 @jku, @kommendorkapten, @joshuagl, @mnm678
registry.npmjs.org 1 @jku
@jku
jku / gist:6a6ebebc35c61c3ad615d8d961149f43
Created March 28, 2024 09:45
import os
from getpass import getpass
from securesystemslib.signer import Signer
from tuf.api.metadata import Metadata, Key
JOSHUA_KEYID = "b78c9e4ff9048a1d9876a20f97fa1b3cb03223a0c520c7de730cfa9f5c7b77e5"
JKU_KEYID = "762cb22caca65de5e9b7b6baecb84ca989d337280ce6914b6440aea95769ad93"
os.environ["PYKCS11LIB"] = "/usr/lib/x86_64-linux-gnu/libykcs11.so"
@jku
jku / sigstore-debug.md
Created February 29, 2024 18:11

Sigstore debugging snippets

  • Do you need to debug sigstore input/output files?
  • Are you not yet fluent in base64 encoded binary certificates?
  • Are you willing to use tools that are completely unfit for the purpose?

This may be the gist for you

Signature bundle

@jku
jku / target-file-mgmt.md
Last active May 17, 2023 10:28

Target file management in repository-playground

Goals

  1. Support arbitrary target file storage locations

    • this is needed eventually: we can't expect all repos to store target files in git
    • requires signer and repo to agree on the target file storage location
    • default can still be the "targets/" directory in git tree

  2. Simple UI, "easy to review" target file content

@jku
jku / softhsm_setup.py
Last active March 23, 2023 12:10
# Test setup script for SoftHSM
#
# I run this with
# PYKCS11LIB=/usr/lib/softhsm/libsofthsm2.so SOFTHSM2_CONF=/home/jkukkonen/src/playground-e2e-signer/softhsm/softhsm2.conf python softhsm_setup.py
#
# The softhsm2.conf file contains
# directories.tokendir = /home/jkukkonen/src/playground-e2e-signer/softhsm/tokendir/
from asn1crypto.keys import ECDomainParameters, NamedCurve
from PyKCS11 import PyKCS11, Session
@jku
jku / output.txt
Last active March 10, 2023 13:55
KEY {'keytype': 'sigstore-oidc', 'scheme': 'Fulcio', 'keyval': {'issuer': 'https://token.actions.githubusercontent.com', 'identity': 'https://github.com/jku/token-test/.github/workflows/test-sign.yml@refs/heads/main'}}
SIG {'keyid': 'abcdef', 'sig': '30650231009541a940e97bb8327cb3ce2b8a498bfd7843b33539eb56c26c0e2feb1bf65e208f076ff07f149f9ecb80bd8761d29c3e02305b9423fa6108a5c777a5f6a59bf800c69821eb57fe30eb8a6a9a9658bfdcd5a8c45097256d1b5c087f2c93ea490258b5', 'bundle': {'mediaType': 'application/vnd.dev.sigstore.bundle+json;version=0.1', 'verificationMaterial': {'x509CertificateChain': {'certificates': [{'rawBytes': 'MIIDsjCCAzmgAwIBAgIUYaemdLlUvi2BuHuWiuq8c55QOFkwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwMzEwMTM0MTM1WhcNMjMwMzEwMTM1MTM1WjAAMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJVzfjIxDbzE/G02q8CsN5XlDXQFSJXnZGw6TeVdAtAm1JbL6pIEIx/y2fi2hudNVLN/X2HPejsCm8vqWiyMnk36/fn8pjtbaFvsCVuDJu5jk3gnH8XLsAn2Gb/N0/hyRo4ICOzCCAjcwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwM
@jku
jku / git-repo-issues.md
Last active March 6, 2023 14:39

General project management issue

The state of repository-playground git-based repo is that it "technically" mostly works:

  • apart from the signing event triggering (see below), the core big ticket features are there
  • The promised useful output is not there yet -- this applies to both signing event GitHub issue comments and the signer tool itself
  • Lot of the planned security improvements not there either
  • Unsure if there are gaps for sigstore-like use case
  • expecting there to be a bunch of bugs
@jku
jku / get_role.py
Last active May 2, 2022 10:35
class Succinct:
def __init__(self, name_prefix: str, bin_bits: int):
self.name_prefix = name_prefix
# number of bins
bin_count = 2**bin_bits
# length of string prefix to get from targetpath hash
@jku
jku / log
Created February 18, 2022 12:47
installing tuf from test pypi
(venv) jku@luna:~$ pip index --index-url https://test.pypi.org/simple/ versions tuf
WARNING: pip index is currently an experimental command. It may be removed/changed in a future release without prior warning.
tuf (1.0.0)
Available versions: 1.0.0, 0.20.0, 0.19.0, 0.16.0, 0.9.9
(venv) jku@luna:~$ pip install --index-url https://test.pypi.org/simple/ tuf
Looking in indexes: https://test.pypi.org/simple/
Collecting tuf
Downloading https://test-files.pythonhosted.org/packages/47/ad/91f0b241c54bc8415c2b9102bdc778a78a10475a0602f84a7656d472aeb6/tuf-1.0.0-py3-none-any.whl (38 kB)
@jku
jku / closing-comment.md
Created February 11, 2022 13:02

This issue is closed as it was filed against (what is now known as) the legacy codebase: issue seems to not be relevant anymore. Please re-open or file a new issue if you feel that the issue is revelant to current python-tuf.

More details about legacy code removal

Current source code (and upcoming 1.0 release) only contains the modern components

  • a low-level Metadata API (tuf.api) and
  • tuf.ngclient that implements the client workflow,

Legacy components (tuf.client, tuf.repository_tool, tuf.repository_lib as well as the repo and client scripts) are no longer included. See announcement for more information and API reference for details about the current API.