.github/workflows that pin widely used public keys for curl requests; attested and protected by PQ+DoH+dnssec
(as a long-term stop gap measure, only after an initial ssh-sk connection has been established to fetch this submodule)
The .github/workflows will update, validate, and attest this repo with know domains, dnssec info, and their expiries;
adding into the registry/ from the list stored in index.csv every 6 hours.
fetch and validate index registry + attest with sigstore + release immutably anywhere from a repo_dispatch api call.
local.sh # WIP - gh attestation verify (Ubuntu v2.46) - (Needs v2.50+) - skipping for now...
$CLIENT_ID is an optional github app ID to run a repository_dispatch event to trigger a manual run of the workflow
validate.with.pki() { # $1 = full_url.TDL/.../[file] or blank to only verify, $CLIENT_ID = Github App Client ID (optional)
./.pki/local.sh $1 $CLIENT_ID || exit 1
}
cred_helper=github.com/docker/docker-credential-helpers/releases/download/v0.9.5/docker-credential-pass-v0.9.5.linux-arm64
if [[ "$(which docker-credential-pass)" == "" ]]; then
validate.with.pki "$cred_helper" || exit 1
echo "$cred_helper_sha $cred_helper_name" | sha512sum -c || exit 1
mkdir -p $HOME/bin && mv $cred_helper_name $HOME/bin/docker-credential-pass || exit 1
fi
if [[ "$ssh_conf" != *.pki* ]]; then
echo "
Host .pki
Hostname github.com
IdentityFile $HOME/\$PKI_ID_FILE
IdentitiesOnly yes" >> $HOME/.ssh/config
fi
# TODO: Generate repo keys r/o for public use
cat > $HOME/$PKI_ID_FILE << EOF_
-----BEGIN OPENSSH PRIVATE KEY-----
SSH PRIVATE KEY GOES HERE
-----END OPENSSH PRIVATE KEY-----
EOF_
cat > $HOME/$PKI_ID_FILE.pub << EOF__
SSH PUBKEY GOES HERE
EOF__
lastly add submodule to .gitmodules of each project and run git submodule add git@.pki:0mniteck/.pki.git
[submodule ".pki"]
path = .pki
url = git@.pki:0mniteck/.pki.git
branch = main
