Securely sign Drupal core packages, even though they are hosted on GitHub/packagist directly

Adding notes on a non-ideal solution we considered

I read over this and I think, from the perspective of the Composer plugin that adds TUF support to Composer, this should be okay. As long as the new Composer repository is a standard Composer repository, it should be transparent to the plugin.

If Packagist.org starts providing signing, we can empty out our new repository, letting Packagist.org take back over.

Are they planning to do this at some point? If so, can you provide a link? If not, I assume you're just extrapolating into a far future?

Hopefully they can implement Rugged as well. There is no specific plan, so it may as well be far future.

https://gitlab.com/drupal-infrastructure/package-signing/packagist-signed is getting close to a deployable state, so we can test everything together, see what else might be missing or broken, and add all the packages we need.

        {
            "type": "composer",
            "url": "https://signed-packagist.staging.devdrupal.org"
        }

Can now be added to repositories in composer.lock to override a couple core components for testing. This comes with TUF at https://signed-packagist.staging.devdrupal.org/metadata/

We have the start of this in production at https://packagist-signed.drupalcode.org/packages.json & https://packagist-signed.drupalcode.org/metadata/

The remaining work is to get all of the drupal/ namespace on Packagist.org mirrored. This is ready with https://gitlab.com/drupal-infrastructure/package-signing/packagist-signe..., and needs debugging for why it hasn’t succeeded in production.

Backfilling completed and this has been running smoothly for over a week.

Automatically closed - issue fixed for 2 weeks with no activity.