Task: add documentation for metadata update

Question

Task: add documentation for metadata update

MVrachev opened this issue 9 months ago · comments

Martin Vrachev commented 9 months ago

What is the task about?

Describe how our users can do a successful metadata update.

We want to cover in the doc:

what can be updated from the metadata update RSTUF CLI command
explaining how offline keys can be updated
explaining the process of how to correctly update the online key

Code of Conduct

I agree to follow this project's Code of Conduct

Kairo Araujo · Answer 1 · Thu Oct 12 2023 23:46:54 GMT+0800 (China Standard Time)

https://repository-service-tuf.readthedocs.io/en/stable/guide/general/usage.html#metadata-update

I think we can improve it.

Martin Vrachev · Answer 2 · Thu Oct 12 2023 23:49:05 GMT+0800 (China Standard Time)

I think it's really important to describe well as an algorithm how to update the online key.
I think this should happen as follows:

Append a new keyid to the RSTUF_*_KEYVAULT_KEYS env variable
Finish a successful metadata update ceremony from the RSTUF CLI.
Call POST /api/v1/metadata with the new payload.
Restart your container

It's important that you do steps 1 to 3 before you restart your container so that the new root.json has the new keyid otherwise you will end up with an invalid repository that cannot sign.
If you forgot to do step 1 you will end up with a new root with a new online key id which doesn't match the key used by your signer.
If you forgot to do steps 2 or 3 you won't have a new root.json and you will continue using the old signer based on the old online key.

Martin Vrachev · Answer 3 · Tue Oct 17 2023 18:17:34 GMT+0800 (China Standard Time)

After a conversation with @kairoaraujo we came up with the following steps for AWS KeyVault online key rotation

Create AWS key
Update env variable
Restart containers
1. Init all possible signers
Do a "metadata update" ceremony
Publish new root version