Open Bug 1674131 Opened 1 year ago Updated 21 days ago

ensure transparency log is up to date as part of release promotion

Categories

(Release Engineering :: Release Automation: Other, enhancement)

enhancement

Tracking

(Not tracked)

People

(Reporter: bhearsum, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(4 obsolete files)

The only thing we should have to do here is run ./tl verify $URL $LOCAL_FILE against all of the files we publish to /releases. This means it has to be done after we push to CDNs - probably at the same time as final verify. We should make sure the $LOCAL_FILE is fetched from somewhere trusted -- ideally this would rely on upstream task artifacts, and be chain of trust enabled, but I'm not sure how practical that will be - I will dig into it more later.

There's a maintained Docker image that we can probably use for this, rather than building our own: https://quay.io/repository/transparencylog/tl

For more background on transparency log, see https://github.com/transparencylog/tl

I dug into this a bit more today. I think our best path forward in the short term is to simply add a docker worker task that runs in either the push or ship phase of a release (depending on whether or not we think we'll ever overwrite artifacts), and runs tl verify on all the artifacts in the a releases directory. This short term method means we won't be verifying CoT - but it will be much quicker to bootstrap.

Down the line, if we want to verify CoT we can switch from docker worker to a scriptworker.

I've got something locally that's about half done, that uses a SHA256SUMS file to generate a bunch tl verify commands, and I'm currently working on getting it scheduled in Taskcluster. The script will need some tweaks after https://github.com/transparencylog/tl/issues/27 is done, so we can verify based on the hashes in SHA256SUMS instead of needing files on disk.

Depends on D98031

My patch stack is not quite ready for review, but it's pretty far along. The most notable things missing are:

Attachment #9189893 - Attachment is obsolete: true
Attachment #9189892 - Attachment is obsolete: true
Attachment #9189891 - Attachment is obsolete: true
Attachment #9189890 - Attachment is obsolete: true
Assignee: bhearsum → nobody
You need to log in before you can comment on or make changes to this bug.