Skip to content

Signing event: sign/multi-region#413

Open
sigstore-bot wants to merge 8 commits into
mainfrom
sign/multi-region
Open

Signing event: sign/multi-region#413
sigstore-bot wants to merge 8 commits into
mainfrom
sign/multi-region

Conversation

@sigstore-bot

@sigstore-bot sigstore-bot commented Jun 17, 2026

Copy link
Copy Markdown
Member

Processing signing event sign/multi-region, please wait.

cmurphy and others added 4 commits June 11, 2026 14:25
@cmurphy
Add keys for services in us-east4
8b4e800 
Add keys and certificates for new services deployed in us-east4.

Fulcio and TSA are isolated services operating under the same URL as
the existing services in us-central1, so we add their certificates using
the same URL.

The new rekor-tiles and ctlog-tiles log shards have their own origin
names and are treated by verifiers as distinct services.

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
@cmurphy
Add global rekor-tiles address to signing config
3de6037 
All rekor-tiles shards will be writeable using a single signing address,
global.rekor.sigstage.dev. The responses will include the origin name of
the server that actually responded, such as
log2025-alpha3.rekor.sigstage.dev or
log2026-1.us-east4.rekor.sigstage.dev, which verifiers will use to match
the response with a key in the trusted root.

Also remove the current active shard (log2025-alpha3) since that will be
reachable from the global address, and the frozen shards which no one
should be writing to anymore.

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
@jku
Merge pull request #410 from cmurphy/us-east4
d88bca2 
Add keys for services in us-east4
@github-actions
Update targets metadata for role targets
9758874 
Signed-off-by: TUF-on-CI <41898282+github-actions[bot]@users.noreply.github.com>
@sigstore-bot

sigstore-bot commented Jun 17, 2026

Copy link
Copy Markdown
Member Author

Artifacts have been modified

Event sign/multi-region (commit d88bca2)
Committed metadata changes for role(s) targets.
Updating signing event state, please wait.

@sigstore-bot

sigstore-bot commented Jun 17, 2026

Copy link
Copy Markdown
Member Author

Current signing event state

Event sign/multi-region (commit 9758874)

❌ targets

Role targets contains following artifact changes:

  • trusted_root.json: MODIFIED

Role targets is unsigned and not yet verified
Still missing signatures from @kommendorkapten, @joshuagl, @mnm678, @jku
Signers can sign these changes by running tuf-on-ci-sign sign/multi-region

jku and others added 2 commits June 17, 2026 15:54
@jku
Merge pull request #411 from cmurphy/us-east4-sig
8294fa6 
Add global rekor-tiles address to signing config
@github-actions
Update targets metadata for role targets
5330795 
Signed-off-by: TUF-on-CI <41898282+github-actions[bot]@users.noreply.github.com>
@sigstore-bot

sigstore-bot commented Jun 17, 2026

Copy link
Copy Markdown
Member Author

Artifacts have been modified

Event sign/multi-region (commit 8294fa6)
Committed metadata changes for role(s) targets.
Updating signing event state, please wait.

@sigstore-bot

sigstore-bot commented Jun 17, 2026

Copy link
Copy Markdown
Member Author

Current signing event state

Event sign/multi-region (commit 5330795)

❌ targets

Role targets contains following artifact changes:

  • signing_config.v0.2.json: MODIFIED
  • trusted_root.json: MODIFIED

Role targets is unsigned and not yet verified
Still missing signatures from @joshuagl, @mnm678, @jku, @kommendorkapten
Signers can sign these changes by running tuf-on-ci-sign sign/multi-region

@jku

This comment was marked as outdated.

Sign in to view
@jku
Signature from @jku
a78a5b2 
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@sigstore-bot

sigstore-bot commented Jun 17, 2026

Copy link
Copy Markdown
Member Author

Current signing event state

Event sign/multi-region (commit a78a5b2)

✅ targets

Role targets contains following artifact changes:

  • signing_config.v0.2.json: MODIFIED
  • trusted_root.json: MODIFIED

Role targets is verified and signed by 1/1 signers (@jku).
Still missing signatures from @mnm678, @kommendorkapten, @joshuagl
Signers can sign these changes by running tuf-on-ci-sign sign/multi-region

Signing event is successful

Threshold of signatures has been reached: this signing event can be reviewed and merged.

@sigstore-bot sigstore-bot marked this pull request as ready for review June 17, 2026 13:06
@jku

jku commented Jun 17, 2026

Copy link
Copy Markdown
Member

For context: this PR contains trust root and signing config changes that enable multi-region sigstore:

  • multiple endpoints listed per service in trusted root (some with region specific URLs, some not)
  • the signing URLs remain global (but the rekor url changes)

Hayden-IO
Hayden-IO previously approved these changes Jun 18, 2026
View reviewed changes
@Hayden-IO Hayden-IO mentioned this pull request Jun 18, 2026
Open
@kommendorkapten
Signature from @kommendorkapten
c2b6557 
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
@sigstore-bot

sigstore-bot commented Jun 22, 2026

Copy link
Copy Markdown
Member Author

Current signing event state

Event sign/multi-region (commit c2b6557)

✅ targets

Role targets contains following artifact changes:

  • signing_config.v0.2.json: MODIFIED
  • trusted_root.json: MODIFIED

Role targets is verified and signed by 2/1 signers (@jku, @kommendorkapten).
Still missing signatures from @joshuagl, @mnm678
Signers can sign these changes by running tuf-on-ci-sign sign/multi-region

Signing event is successful

Threshold of signatures has been reached: this signing event can be reviewed and merged.

@codysoyland codysoyland mentioned this pull request Jun 24, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Hayden-IO Hayden-IO Hayden-IO left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@sigstore-bot @jku @Hayden-IO @cmurphy @kommendorkapten