Pin release signing key and verify by default#95
Conversation
b5293cb to
f71bb1a
Compare
fe8292c to
1029b8c
Compare
|
🔴 Automated review · pr-review-watcher · 1029b8c SummaryPins the production release signing public key into 🚫 Blocking (must fix before merge)
Non-blocking
|
rominf
left a comment
There was a problem hiding this comment.
Please check the automated review. Also, there are efforts to get rid of the mix of programming languages in the repository. Could you please convert it to cargo xtask to keep everything as rusty as possible?
Pin the production release signing public key in install.sh and install.ps1 and require signature verification by default on the release channel, so downloaded archives are checked against the pinned trust root before install. Guard the key end to end: release_readiness.py verifies built archives against the configured signing public key (a key mismatch fails at build time, not on users' machines), and verify_pinned_keys.py asserts the pinned constants match the canonical docs/keys file and the CI signing key. Both run in CI. Metadata pinning and the production-trust CI gate are wired but dormant (empty sentinel / unset variable) until their inputs exist. Signed-off-by: Eugene Volen <Eugene.Volen@amd.com>
1029b8c to
4132eb8
Compare
| fn new(tag: &str) -> Result<Self> { | ||
| let base = | ||
| std::env::temp_dir().join(format!("pinned-key-{tag}-{}", std::process::id())); | ||
| let _ = std::fs::remove_dir_all(&base); |
| let base = | ||
| std::env::temp_dir().join(format!("pinned-key-{tag}-{}", std::process::id())); | ||
| let _ = std::fs::remove_dir_all(&base); | ||
| std::fs::create_dir_all(&base)?; |
Replace the Python pinned-key consistency check with a Rust `cargo xtask verify-pinned-keys` command, keeping the repo all-Rust. The port fixes an unsound equality proxy: the old check used whole-file substring containment, so a wrong pinned constant passed whenever the canonical key body appeared anywhere else in the file (e.g. the NEXT rotation slot). The command now extracts each named pinned constant's own PEM body (shell, PowerShell, and Rust embeddings) and compares it for equality against the canonical docs/keys file, plus the CI signing key cross-check. Close the CI gate hole by adding docs/keys/** to the heavy paths filter so a canonical-key-only change still runs the check, and repoint every CI call site to the xtask command. Teach `cargo xtask verify` to read the public key from ROCM_CLI_SIGNING_PUBLIC_KEY_PEM when no --public-key is given, so release_readiness.py no longer materializes a temp key file. Also quote the openssl path arguments in install.ps1 and drop a stale doc reference from the workflow comments. Signed-off-by: Eugene Volen <Eugene.Volen@amd.com>
4132eb8 to
02a5383
Compare
Summary
Turns on signed-release trust for the release channel: the production release signing public key is pinned in the installers, and signature verification is now on by default for
install.sh release/install.ps1 release— downloaded archives are verified against the pinned trust root before install.What's in here
install.sh,install.ps1): the release public key is embedded as a constant; verification is mandatory by default on the release channel. Env overrides (ROCM_CLI_SIGNING_PUBLIC_KEY_PATH/PEM) remain as escape hatches. Multi-key support is present for future rotation.scripts/release_readiness.py): CI verifies built archives against the configured signing public key, so a private/public key mismatch fails at release time, not on users' machines.scripts/verify_pinned_keys.py): asserts the pinned constants match the canonicaldocs/keys/file and the CI signing key. Runs in CI (PRs + release/nightly), embedding-agnostic (shell/PowerShell/Rust).docs/keys/rocm-cli-release-current-public.pem).therock.rs, empty sentinel) and the production-trust CI gate (ROCM_CLI_REQUIRE_PRODUCTION_TRUST, unset) are wired but inert until their inputs exist — no behavior change from them.Safety / rollout
latestrelease exists yet (only pre-releases + a draft), soreleases/latest/downloadhas nothing to serve — enabling default-on cannot break existing users.ROCM_CLI_REQUIRE_PRODUCTION_TRUSTyet — it requires those inputs.Validation
verify_pinned_keys.py+release_readiness.pyself-tests, metadata unit tests, clippy, fmt, shell/YAML checks all green.Suggested pre-merge check
Cut a tag (or use the
v0.1.0-rc.1draft) so CI signs with the current key and confirm the readiness step reports "signature verified" — the final on-CI proof.🤖 Generated with Claude Code