Securely sign Drupal core packages, even though they are hosted on GitHub/packagist directly

Created on 4 April 2023, over 1 year ago
Updated 2 August 2024, 5 months ago

Problem/Motivation

Because Drupal.org publishes packages.drupal.org as the source of truth for Composer packages for just about every Drupal project, we can integrate our Rugged signing process to sign these packages.

However, we currently publish Drupal core packages directly to github so they will be available from Packagist (and they include within them the additional composer repository for packages.drupal.org).

We still want to sign these packages.

Non-ideal solution we considered

Get the core-related packages to packages.drupal.org - packages.drupal.org currently only handles modules & themes, and exists to translate .info.yml dependencies to something Composer understands. The core-related packages are handled as any other PHP project on Packagist.org. Teaching packages.drupal.org to handle a different type of project would be more complexity.

General projects on Drupal.org are sent to Packagist.org directly, when they have a composer.json. If we moved the Git repositories to general projects, that would have no effect on the fact that these are sent to Packagist.org.

Proposed resolution

Add a 3rd Composer repository, separate from packages.drupal.org and Packagist.org and add TUF integration to that repository.

Composer looks for packages on Packagist.org last, so if the new repository provides packages like drupal/core, it overrides Packages.org. See https://getcomposer.org/doc/articles/repository-priorities.md

We can use Satis to build that Composer repository - https://gitlab.com/drupal-infrastructure/package-signing/packagist-signed. It will provide packages listed at https://gitlab.com/drupal-infrastructure/package-signing/packagist-signe.... The actual zip downloads remain being fetched from GitHub.com; the metadata is equivalent to what Packagist.org provides.

Then we can connect this to a new Rugged stack to add a TUF repository for signing.

What Satis and Rugged build are hosted as static files, in parallel to Packages.drupal.org.

If Packagist.org starts providing signing, we can empty out our new repository, letting Packagist.org take back over. Sites can remove it from their repositories.

Remaining tasks

๐Ÿ“Œ Task
Status

Fixed

Component

Packaging

Created by

๐Ÿ‡บ๐Ÿ‡ธUnited States hestenet Portland, OR ๐Ÿ‡บ๐Ÿ‡ธ

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024