Deploy rugged for TUF signing to production

Remaining tasks

Decide and document security stance - root key handling, anything that is an option in how we use TUF
Set up production-grade hosting of rugged - #3325040: [Packaging Pipeline] Securely sign packages hosted on Drupal.org using the TUF framework and Rugged is tracking known issues in Rugged
Add to packaging pipeline - #3325040: [Packaging Pipeline] Securely sign packages hosted on Drupal.org using the TUF framework and Rugged built out initial work

Deployment

Set up Rugged in production
Add drush drupalorg-release-send-rugged to packaging pipeline
Set up packages.drupal.org/metadata hosting - site/profile/files/webnode/static/staging/packages.staging.devdrupal.org.conf in the internal Puppet tree has a draft. A crucial special header is Surrogate-Key tuf, so the CDN cache can be cleared
Add /metadata path to VCL configuration, also following the staging configuration
Set up cron to run https://git.drupalcode.org/project/infrastructure/-/blob/main/rugged-int... every minute
Set up cron to run drush drupalorg-release-send-rugged examples --version=3.x-dev every 12h
Backfill signing for all projects

Comments

Comment #1

21 February 2023 at 20:20

drumm created an issue. See original summary.

Log in or register to post comments

wim leers’s picture

Comment #2

Ghent 🇧🇪🇪🇺

commented 21 March 2023 at 09:43

Related issues:

+#3341719: Add a drush command to send targets to rugged

With #3341719: Add a drush command to send targets to rugged done, I believe this is next & unblocked?

Log in or register to post comments

Comment #3

he/him

NY, US

commented 21 March 2023 at 17:09

Status:

Active

» Postponed

Not quite, the parent issue is tracking a few issues in Rugged, and we have more child issues like #3349408: Decide on & implement targets management for Rugged instance

Log in or register to post comments

Comment #4

he/him

NY, US

commented 21 March 2023 at 17:41

Issue summary:

Documenting everything done to support #3325040: [Packaging Pipeline] Securely sign packages hosted on Drupal.org using the TUF framework and Rugged in staging, so it can be done in production.

Log in or register to post comments

ergonlogic’s picture

Comment #5

he/him

English

Montréal, Québec 🇨🇦

commented 12 April 2023 at 12:47

Issue tags:

+The Update Framework (TUF)

Log in or register to post comments

Comment #6

he/him

NY, US

commented 8 July 2024 at 16:26

Status:

Postponed

» Fixed

We can call this done https://packages.drupal.org/8/metadata/

The CDN handling was simplified and is at https://gitlab.com/drupal-infrastructure/package-signing/check-cache/-/b...

The Drupal code to get targets signed is at https://git.drupalcode.org/project/drupalorg/-/blob/424d969f020a49aa3fe3...

Log in or register to post comments

Comment #7

22 July 2024 at 16:29

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Log in or register to post comments