tweak test validity times #1415
Labels
enhancement
New feature or request
Comments
|
Should review similar issues with the root validity although I think we don't need any changes:
|
jku
added a commit
to jku/root-signing-staging
that referenced
this issue
Jan 27, 2025
* We have been signing timestamp every day for while now
* expiry-period is 7 days so that's how far the new expiry is set
* signing-period is 6 days so timestamp is signed 7-6 = 1 day after
previous signing (in practice because of workflow scheduling it may be
30 hours)
Let's start requiring that timestamp is valid for 5 days when the test
workflows run. This will increase the amount of time we have to solve
any issues with online signing, because we will find out about them
earlier.
Documenting the strange syntax here for convenience:
${{ github.event_name == 'workflow_call' && 0 || 5 }}
This means that during publish we only require that the metadata is not
expired at the moment but when the workflow runs via other means
(e.g. cron), we require that it is also not expired in 5 days.
This is for sigstore/root-signing#1415
Signed-off-by: Jussi Kukkonen <[email protected]>
Looks good, this should be implemented here after the current signing event In addition, we can consider increasing the validity in https://github.com/sigstore/sigstore-probers/blob/main/.github/workflows/reusable-prober.yml (this affects when oncall gets alerted) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently we sign timestamp every three days with expiry in 7 days. We have our tests set up to file an issue if timestamp goes invalid in three days (7-3 with one day buffer). On-call uses the same test with a two day trigger
#1339 will now change singing to happen every day.
plan after the signing event:
This can be done in root-signing-staging first
The text was updated successfully, but these errors were encountered: