added signed npm delegation #1154
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
kommendorkapten@m1m14:~/git/root-signing % git status
On branch add-npm
nothing to commit, working tree clean
kommendorkapten@m1m14:~/git/root-signing % ./verify repository --repository ./repository --staged
STAGED METADATA
Outputting metadata verification at ./repository...
Verifying root.json...
Contains 0/3 valid signatures from the current staged metadata
Contains 0/3 valid signatures from the previous root
root version 9, expires 2024/09/12
Verifying targets.json...
Contains 0/3 valid signatures from the current staged metadata
targets version 9, expires 2024/09/12
Verifying registry.npmjs.org.json...
Success! Signatures valid and threshold achieved
registry.npmjs.org version 3, expires 2024/09/12 |
joshuagl
approved these changes
Mar 12, 2024
kommendorkapten
merged commit d342523
into
sigstore:ceremony/2024-03-12
11 checks passed
kommendorkapten
added a commit
that referenced
this pull request
Mar 14, 2024
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
kommendorkapten
added a commit
that referenced
this pull request
Mar 19, 2024
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
kommendorkapten
added a commit
that referenced
this pull request
Mar 19, 2024
* Add staged repository metadata (#1153) Signed-off-by: GitHub <noreply@github.com> Co-authored-by: GitHub <noreply@github.com> * added signed npm delegation (#1154) Signed-off-by: Fredrik Skogman <kommendorkapten@github.com> * sign-root-targets for joshuagl (#1155) Signed-off-by: Joshua Lock <joshuagloe@gmail.com> * sign-root-targets for bobcallaway (#1156) Signed-off-by: Bob Callaway <bcallaway@google.com> * sign-root-targets for SantiagoTorres (#1161) Signed-off-by: Santiago Torres-Arias <santiagotorres@purdue.edu> * sign-root-targets for dlorenc (#1157) Signed-off-by: Dan Lorenc <dlorenc@chainguard.dev> * sign-root-targets for mnm678 (#1160) Signed-off-by: Marina Moore <mnm678@gmail.com> * Update snapshot and timestamp (#1176) Signed-off-by: GitHub <noreply@github.com> Co-authored-by: GitHub <noreply@github.com> --------- Signed-off-by: GitHub <noreply@github.com> Signed-off-by: Fredrik Skogman <kommendorkapten@github.com> Signed-off-by: Joshua Lock <joshuagloe@gmail.com> Signed-off-by: Bob Callaway <bcallaway@google.com> Signed-off-by: Santiago Torres-Arias <santiagotorres@purdue.edu> Signed-off-by: Dan Lorenc <dlorenc@chainguard.dev> Signed-off-by: Marina Moore <mnm678@gmail.com> Co-authored-by: GitHub <noreply@github.com> Co-authored-by: Fredrik Skogman <kommendorkapten@github.com> Co-authored-by: Joshua Lock <jlock@vmware.com> Co-authored-by: Bob Callaway <bobcallaway@users.noreply.github.com> Co-authored-by: Santiago Torres <santiagotorres@purdue.edu> Co-authored-by: dlorenc <lorenc.d@gmail.com> Co-authored-by: Marina Moore <mnm678@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Added the npm delegation, versioned bumped and signed, no other changes.
Look for:
Version: 3
1.registry.npmjs.jsonkeys.jsonshould not have changed since previous version.ecdsaintargets.jsonNote the signature of
registry.npm.jsoncontains signatures with both new and old key id (key id changed as the key type was updated), I added that because during test last week, theverifycommand did behave strange when only the new key id was there, it only verified correctly ~1/3 so it seems that the key ids are confused internally in the tool as they refer to the same key.Release Note
N/A
Documentation
N/A