[Packaging Pipeline] Securely sign packages hosted on Drupal.org using the TUF framework and Rugged [#3325040]

Problem/Motivation

As part of the major initiatives to support Automatic Updates and the Project Browser, the Drupal.org infrastructure team has prioritized a major security enhancement - securely signing packages using Rugged, an implementation of TUF, theupdateframework.io.

Proposed resolution

An RFP for implementing a secure server side signing method according to the tough specification was released in June of 2021.

Consensus Enterprises was selected as the implementation partner for this system, working together with the Drupal Association on the implementation details. The Drupal Association is working with infrastructure management partners Tag1 Consulting to stand up this infrastructure in the cloud, so it can be integrated into the packaging pipeline.

Remaining tasks

~~RFP released~~
~~Partner selected: Consensus Enterprises~~
~~Requirements defined~~
~~Initial technical architecture proposed~~
~~PHP-TUF client side framework developed with the help of Acquia's Drupal Acceleration team, among others~~
~~Primary Development~~
~~Containers deployed~~
~~Initial deployment evaluation~~ - started
Current work in rugged:
- ~~#120 Add a new "monitor" worker~~ is fixed!
- ~~#114 Revert to upstream Composer plugin~~ is fixed!
- #99 Implement support for hashed bins will be necessary for the scale of Drupal.org packages; so data transfer is limited to a reasonable amount, and that JSON can be reliably parsed. In progress
- #74 Build images in CI
Plan for signing core components
- Templates like drupal/core-recommended are hosted on Packagist.org, so they can be installed with one step after getting Composer. Core component subtree splits are hosted in the same way to simplify core packaging
- https://packagist.org/packages.json changes frequently, so signing on behalf of Packagist.org will need some way to either always have the current version signed, or proxy that's able to serve what we have signed
Next deployment evaluation
Integration testing with AutoUpdates/Project Browser teams
Security audit/penetration testing (as resources are available)

Comments

Comment #1

2 December 2022 at 17:29

hestenet created an issue. See original summary.

Comment #2

2 December 2022 at 17:30

hestenet credited drumm.

Comment #3

2 December 2022 at 17:30

hestenet credited ergonlogic.

Comment #4

2 December 2022 at 17:30

hestenet credited nnewton.

Comment #5

hestenet

He/Him

Portland, OR 🇺🇸

commented 2 December 2022 at 17:30

Issue summary:

View changes

Comment #6

hestenet

He/Him

Portland, OR 🇺🇸

commented 2 December 2022 at 17:34

Issue summary:

View changes

Comment #7

drumm

he/him

NY, US

commented 21 March 2023 at 16:51

Issue summary:

View changes

Reviewing the known issues in Rugged:

#120 Add a new "monitor" worker is fixed!
#114 Revert to upstream Composer plugin is still open
#99 Implement support for hashed bins will be necessary for the scale of Drupal.org packages; so data transfer is limited to a reasonable amount, and that JSON can be reliably parsed
Currently containers are built locally and pushed, https://rugged.works/how-to/images/. This would be better if it could be driven by GitLab CI automatically. Likely needs an issue opened in the rugged project

Comment #8

drumm

he/him

NY, US

commented 21 March 2023 at 22:42

Issue summary:

View changes

Adding to the issue summary:

Plan for signing core components

Templates like drupal/core-recommended are hosted on Packagist.org, so they can be installed with one step after getting Composer. Core component subtree splits are hosted in the same way to simplify core packaging
https://packagist.org/packages.json changes frequently, so signing on behalf of Packagist.org will need some way to either always have the current version signed, or proxy that's able to serve what we have signed

Comment #9

wim leers

Ghent 🇧🇪🇪🇺

commented 22 March 2023 at 09:11

Issue tags:		+blocker
Related issues:		+#3349368: [policy, no patch] How much of The Update Framework integration is needed for alpha-level review/commit of Package Manager?

Do we have any idea about an ETA?

I'm asking because in #3349368: [policy, no patch] How much of The Update Framework integration is needed for alpha-level review/commit of Package Manager? it was just revealed that this is hard-blocking package_manager, automatic_updates and project_browser getting added to Drupal core.

Comment #10

markdorison

he/him

commented 22 March 2023 at 22:40

Issue summary:

View changes

Comment #11

drumm

he/him

NY, US

commented 23 March 2023 at 21:26

Issue summary:

View changes

Adding link to https://gitlab.com/rugged/rugged/-/issues/74

Comment #12

ergonlogic

he/him

English

Montréal, Québec 🇨🇦

commented 23 March 2023 at 21:26

Issue tags:

+The Update Framework (TUF)

Comment #13

ergonlogic

he/him

English

Montréal, Québec 🇨🇦

commented 24 March 2023 at 22:11

Issue summary:

View changes

I've revised the summary with updates for the Rugged tickets.

Comment #14

catch

he/him

English

commented 27 April 2023 at 08:15

Looks like hashed bins is also done https://gitlab.com/rugged/rugged/-/issues/99

Comment #15

drumm

he/him

NY, US

commented 8 July 2024 at 16:23

Status:

Active

» Reviewed & tested by the community

This is now ready: https://packages.drupal.org/8/metadata/

Before calling it done, we need:

#3352216: Securely sign Drupal core packages, even though they are hosted on GitHub/packagist directly
securesystemslib includes non-compliant `keyid_hash_algorithms` property when generating key IDs https://gitlab.com/rugged/rugged/-/issues/192
Reset processing targets batch on boothttps://gitlab.com/rugged/rugged/-/issues/191
Nice to have, not required - Clean up more completely when targets containing empty directories are processed https://gitlab.com/rugged/rugged/-/issues/149
Verify root key rotation process

Comment #16

drumm

he/him

NY, US

commented 8 July 2024 at 16:57

Added 2 more child issues:

#3460020: Add host key verification for sending targets to rugged for signing this is a security hardening. We are not sending anything private to be signed by rugged, but we should still verify where we are sending it
#3201223: Deprecate composer 1 will reduce the error rate for the client, especially if our rugged stack has an outage

Comment #17

gábor hojtsy

he/him

Hungarian

Hungary

commented 23 January 2025 at 08:15

Does this mean that package signing is practically all rolled out?

This is now ready: https://packages.drupal.org/8/metadata/

Comment #18

drumm

he/him

NY, US

commented 23 January 2025 at 17:45

Status:	Reviewed & tested by the community	» Fixed
Related issues:		+#3477553: [PP-1] Manually test TUF-enabled Composer projects

Yes, I think we can call this done.

I hope there’s more testing with #3477553: [PP-1] Manually test TUF-enabled Composer projects before this is made generally available out of the box with Drupal core. But that and the rugged followups are all being tracked in their own issues.

Comment #19

6 February 2025 at 17:49

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

[Packaging Pipeline] Securely sign packages hosted on Drupal.org using the TUF framework and Rugged

Problem/Motivation

Proposed resolution

Remaining tasks

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Comment #11

Comment #12

Comment #13

Comment #14

Comment #15

Comment #16

Comment #17

Comment #18

Comment #19

Parent issue

Child issues

Related issues

Referenced by

News items

Our community

Documentation

Drupal code base

Governance of community