Update TUF SigningConfig To Rekor V2: A Smooth Transition

Hey everyone!

We're embarking on a crucial update to the TUF (The Update Framework) distributed SigningConfig, specifically to integrate Rekor v2. This is a significant step towards enhancing the security and transparency of our software supply chain. Let's dive into what this entails, why it's important, and how we plan to roll it out.

Why Rekor v2?

Rekor, as many of you know, is a transparency log for software artifacts. It provides an immutable record of when and how software components were signed, which is vital for verifying the integrity and provenance of software. Moving to Rekor v2 brings several advantages, including improved performance, enhanced security features, and better support for emerging use cases.

The Plan: Two Separate Updates

To ensure a smooth transition and minimize disruption, we've decided to split this update into two distinct phases:

1. Trusted Root Update (Verification): This update focuses on enabling clients to verify Rekor v2 entries. It's designed to be backward-compatible, allowing clients using a manually configured signing configuration to validate entries against the new Rekor v2 infrastructure. This is all about making sure everyone can still verify things correctly.
2. SigningConfig Update (Signing): This second update is what this issue is all about. It involves modifying the SigningConfig itself so that clients with Rekor v2 support will automatically use it for signing operations. This is where the magic happens, and clients will seamlessly transition to using Rekor v2.

The reason for this separation is simple: we want to avoid breaking the verification process for anyone. By updating the trusted root first, we give everyone a chance to upgrade their clients and ensure they can still verify signatures against Rekor v2. Then, once we're confident that the ecosystem is ready, we'll update the SigningConfig to enable automatic Rekor v2 usage.

The Importance of a Smooth Transition

We can't stress enough how crucial a smooth transition is. A broken verification path would be a major headache for everyone. That's why we're taking a phased approach and working closely with key stakeholders to ensure everything goes off without a hitch.

Minimizing Disruption

To minimize disruption, we're planning a few key steps:

• Waiting Period: We'll wait a few months after the trusted root update before updating the SigningConfig. This gives users ample time to upgrade their clients and adapt to the new verification process.
• VIP Client Collaboration: We're actively working with a select group of VIP clients and ecosystems to test the update and identify any potential issues early on. Their feedback is invaluable in ensuring a seamless transition.
• Monitoring and Support: We'll be closely monitoring the update process and providing support to anyone who encounters issues. Our goal is to make this as painless as possible for everyone.

Communication is Key

We'll keep you all informed every step of the way. Expect regular updates on our progress, potential issues, and any actions you may need to take. Your feedback is always welcome, so please don't hesitate to reach out with any questions or concerns.

This Issue: Updating the SigningConfig in Root-Signing

This specific issue is dedicated to tracking the update of the SigningConfig within the root-signing metadata. This is the final step in enabling automatic Rekor v2 usage for clients that support it. The tasks involved include:

Understanding the Current Configuration

Before making any changes, it's essential to thoroughly understand the current SigningConfig. This involves examining the existing configuration files, identifying the relevant parameters, and understanding how they affect the signing process. We need to know exactly what we're changing and why.

• Analyzing Existing Parameters: The first step is to meticulously analyze all the parameters within the current SigningConfig. This includes understanding their purpose, their current values, and how they interact with each other. It's like dissecting a complex machine to understand how each part contributes to the overall function.
• Identifying Dependencies: We need to identify any dependencies that the SigningConfig has on other components or services. This is crucial for ensuring that the update doesn't inadvertently break something else. It's like tracing the wires in an electrical circuit to make sure we don't cut the wrong one.
• Documenting the Process: Throughout the analysis, we'll be meticulously documenting our findings. This documentation will serve as a valuable reference for future updates and troubleshooting. It's like creating a detailed blueprint of the current system.

Modifying the Configuration for Rekor v2

Once we have a solid understanding of the current configuration, we can begin modifying it to support Rekor v2. This involves updating the relevant parameters to point to the new Rekor v2 endpoints and configuring the client to use the new API.

• Updating Endpoints: The most obvious change is to update the endpoints to point to the Rekor v2 servers. This tells the client where to send the signing requests. It's like changing the address on a letter so it gets delivered to the right place.
• Configuring the API: We also need to configure the client to use the Rekor v2 API. This may involve changing the request format, the authentication method, or other API-specific settings. It's like learning a new language to communicate with the Rekor v2 server.
• Testing the Changes: After making the changes, we need to thoroughly test them to ensure they work as expected. This involves sending test signing requests and verifying that the entries are correctly recorded in the Rekor v2 log. It's like running a simulation to make sure the changes don't break anything.

Testing and Validation

Rigorous testing is paramount to ensure the updated SigningConfig functions correctly and doesn't introduce any regressions. This includes unit tests, integration tests, and end-to-end tests.

• Unit Tests: These tests focus on individual components of the SigningConfig to ensure they function correctly in isolation. It's like testing each individual part of a car engine to make sure it works before putting it all together.
• Integration Tests: These tests verify that the different components of the SigningConfig work together seamlessly. It's like testing the car engine and the transmission together to make sure they communicate properly.
• End-to-End Tests: These tests simulate a complete signing workflow to ensure that the entire process works as expected. It's like taking the car for a test drive to make sure everything works under real-world conditions.

Deployment and Monitoring

Once the updated SigningConfig has been thoroughly tested and validated, we can deploy it to the production environment. We'll closely monitor the deployment process to ensure everything goes smoothly.

• Staged Rollout: We'll use a staged rollout approach to minimize the risk of disruption. This involves gradually deploying the updated SigningConfig to a subset of users, monitoring its performance, and then gradually increasing the rollout to all users. It's like slowly introducing a new product to the market to gauge its success.
• Real-time Monitoring: We'll continuously monitor the performance of the updated SigningConfig in the production environment. This allows us to quickly identify and address any issues that may arise. It's like having a team of doctors constantly monitoring a patient's vital signs.
• Rollback Plan: In the event of a critical issue, we have a rollback plan in place to quickly revert to the previous version of the SigningConfig. This ensures that we can quickly restore service if something goes wrong. It's like having a backup plan in case the primary plan fails.

Conclusion

Updating the TUF-distributed SigningConfig with Rekor v2 is a significant undertaking, but it's a vital step towards enhancing the security and transparency of our software supply chain. By taking a phased approach, collaborating with key stakeholders, and rigorously testing our changes, we can ensure a smooth transition and minimize disruption. Thanks for your attention, and stay tuned for more updates!

For more information on Rekor and Sigstore, check out the official Sigstore Website. They have tons of great resources!