[Packaging Pipeline] Securely sign packages hosted on Drupal.org using the TUF framework and Rugged

Created on 2 December 2022, about 2 years ago
Updated 8 July 2024, 6 months ago

Problem/Motivation

As part of the major initiatives to support Automatic Updates β†’ and the Project Browser β†’ , the Drupal.org infrastructure team has prioritized a major security enhancement - securely signing packages using Rugged, an implementation of TUF, theupdateframework.io.

Proposed resolution

An RFP β†’ for implementing a secure server side signing method according to the tough specification was released in June of 2021.

Consensus Enterprises β†’ was selected as the implementation partner for this system, working together with the Drupal Association on the implementation details. The Drupal Association is working with infrastructure management partners Tag1 Consulting β†’ to stand up this infrastructure in the cloud, so it can be integrated into the packaging pipeline.

Remaining tasks

  • - started
  • Current work in rugged:
  • Plan for signing core components
    • Templates like drupal/core-recommended are hosted on Packagist.org, so they can be installed with one step after getting Composer. Core component subtree splits are hosted in the same way to simplify core packaging
    • https://packagist.org/packages.json changes frequently, so signing on behalf of Packagist.org will need some way to either always have the current version signed, or proxy that's able to serve what we have signed
  • Next deployment evaluation
  • Integration testing with AutoUpdates/Project Browser teams
  • Security audit/penetration testing (as resources are available)
🌱 Plan
Status

RTBC

Component

Packaging

Created by

πŸ‡ΊπŸ‡ΈUnited States hestenet Portland, OR πŸ‡ΊπŸ‡Έ

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024