 Hello, everyone. How are you? Today, we have the honor of doing a once-in-a-lifetime event. It's the first root key signing ceremony for Project Six Store. You have Dan, Lawrence, and a crew of a who's who in signature and software supply chain on this Juneteenth holiday. Spotlight Live starts now. All right, you all. I bet you're wondering about the hair, but we'll get to that in a moment. First off, I want to thank the CNCF for allowing us to do this. Tough is one of the projects that's being used as part of the process and ceremony today, so it's cool and it's awesome. Again, thank you to the CloudNative Computing Foundation. I want to go through the CNCF disclaimer first. This is an official live stream of the CNCF, and it's such a subject to the CNCF Code of Conduct. Please do not add anything to the chat or questions that would be in violation of that Code of Conduct. Basically, please be respectful of all. All right. The hair. I'm going to bring in the first guest. It's the master ceremonies are the leader here for this event. It's Dan Lawrence. Dan, Spotlight's on you, my friend. By using my crochet over and over again, I'm using my tagline. Spotlight. All right. You know how you inspired? I grew out my hair this week. I was like, look, dude, I need to catch up with you. What do you think? Is it good? Not everybody can grow hair as fast as you can, but I got to say I'm impressed. I think I just saw you a week ago and you look completely different. You see what I do? This is what I wanted to do for this big store root ceremony. I wanted to bring my A game, grow out some hair, all that kind of stuff, right? All right. So listen, you wrote a blog post about this. I kind of want to talk about just the whole overall process. Can we talk about what's going to go on today? Is that cool? Yeah, sure. I'll give a quick overview of what's going to be happening, who's going to be joining us, and all that stuff. Yeah, so we're looking here. You can see kind of an overview of the process and everything we're going through today. But at a high level, what we're doing is establishing a root of trust for the entire State Store project. So this is a bunch of different cryptographic keys that we're going to be putting together into one file at a high level. And then each key is going to sign that entire file. So we're going to have five keys and five signatures over that file. And what this is going to do is give us the root for everything else we're going to be signing and distributing and logging for the entire State Store project. The goal of State Store is to improve supply chain security for all of open source. And so what this actually means is that we're going to be opening up this root for other open source projects to use as well. So we're doing this. This is for open source. So we're doing this just like open source is meant to be. We're doing this as a community effort, which means we had to design this a little bit differently than most key ceremonies. So there are five of us joining today from different projects, different communities, different companies, different industries. And we're all going to be taking our brand new Yuba keys out of the package live here, showing that we're doing all this correctly. Doing this process, there are five different steps we're going to be going through to add these keys, sign all these keys and do everything on GitHub. And the audience is supposed to participate today. We need people to verify these steps as we go, especially today, because GitHub Actions has decided to take the afternoon off. Hug ops to all the GitHub Actions estuaries trying to get this back up. But yeah, we've got some manual commands that we're going to be showing. And people at home can thumbs up LGTMRPRs, post their outputs and stuff to help verify and make sure we're doing all this correctly. Fantastic. Again, it's with a well oil machine we have today. And with that, let's bring in the rest of our key folks. All right, so I'm going to start with Marina. Before I'm going to bring in everybody else as well, I'm going to bring in the key folks. So it's going to be Santiago and Bob Holloway and Luke Hines. Let me get rid of this caption here real quick. All right, y'all, state your name and tell us a little bit about yourself. Let's start with you, Marina. And in the order I put people in, is that cool? All right, yeah. Hi, I'm Marina. I am a PhD student at NYU. I'm a maintainer of the Update Framework, our TAF, as it's often called, and as well as somewhat I do a lot of work in on that and other projects in secure software distribution. And so yeah, excited to be here today. Fantastic. All right, Santiago, you're next. Hello, everyone. I am Santiago Ballers. I am a assistant professor of ECE at Purdue University. And I care about making sure that people produce software security and that people consume software security. And I think part of that whole picture is being here and making sure that we have a way to trust how software delivered pipelines work. Fantastic. OK, Bob, you're up next. Thanks. Hey, folks, Bob Calloway, a software engineer at Red Hat, also one of the steering committee members for SIGSTORE. Super excited about taking this off today. And kind of seeing the SIGSTORE project flourish. Fantastic. Last but certainly not least, I guess the co-creator or the creator, right, Luke of SIGSTORE. Can you kind of tell us a little bit about yourself? Yeah, sure. Yeah, so it's great to be here. Really excited about this. Yeah, so Luke Hines, I work at Red Hat in the CTO office, have a security engineering team that we have there. And yeah, I kind of worked around open source and security for a long, long time now. Another project I work on and help get off the ground is KeyLine. So it's another CNCF security project. And yeah, it's just great to be with these folks. You know, I consider them friends now. You know, it's been really a lot of fun building this project and very much a community effort. So it's great to see this get off. Fantastic. And again, thank you all. And obviously, Dan, you all know. So that is our five, right, Dan? Keep me honest here. You know, this is my first one. Once in a lifetime opportunity, y'all. This is it. This is the initial five. So as part of this, we've got this whole rotation process and kind of the route is going to be living and breathing just like a normal open source project. So this is the first five for the first four months. We're going to be meeting again sometime right around Coupe County in Los Angeles to sign the next one, rotate somebody out, and let somebody new in. Awesome. Our power is combined in the chat. Yeah, perfect. So folks that are watching this, now we have 72 folks joining. Thank you so much. It's amazing to have folks joining. And again, by the way, follow cloudnative.tv. You obviously have if you're chatting, so it's awesome. We love that. We have a lot of other amazing programming here as well. But with that, for further ado, let's bring in a couple of the witnesses. So to explain the witnesses part, so they have to essentially witness you all taking this out of the packages and all that fun stuff. Am I right? Did I kind of clip note or TLDR that too much? Close. Yeah, it's an important role. So the cryptographic keys are using the hardware tokens and stuff can produce these cryptographic attestations to kind of make sure we're doing this correctly from a hardware and crypto perspective. But this is about the community. So it's about knowing who we are and making sure we're who we say we are and stuff like that. So we've invited some special guests that a lot of people here probably know. And to authenticate ourselves, say, we are who we say we are, how they know us, and then kind of ask us some fun questions too. All right. So I'm going to bring in first person, my buddy, Trashank. How are you, my man? Having trouble hearing you, bud? Oh, man, you're muted. I'm muted. This is proof we're doing it live. If we recorded this, we would have gotten it perfectly right. Yep, it's 2020 again. Oops. I'm muted. All right, so it's OK, Trashank. We're going to move on to the next person. Here, you're a witness. We just need your eyes, not your voice, OK? So it's good. We'll roll with it. All right, so we have next up, Mike Malone. Tell us a little bit about yourself. Hey, everybody. Yeah, I'm Mike Malone. I'm a distributed systems and security nerd. I'm CEO of a company called SmallStep. We're a cloud-native security company, and we maintain a popular open-source tool chain for internal public key infrastructure. So today's events are definitely relevant to my interests. And for having me, I'm really excited to be here. Fantastic. All right, last but certainly not least, this guy, I think he wants to be on every single one of my shows. I don't know what's going on. It's there he is. Hey, hey, I heard there was going to be good here today. So that's a pop-by. My name is Stephen Augustus. I am the head of open source for Cisco. I'm also one of the Kubernetes release managers and secret release co-chair. So hey, I, again, I heard there was going to be good here and maybe snacks or something. There was no guarantee of snacks, Dan. I don't know what you're saying. We have a kind of little budget. We got to get a bigger budget. Got more people watching. We'll have a budget, all right? All right, so last but certainly not least, I think you're pretty much like the hands-on keyboard. Am I right? Like you're going to be helping out everybody and kind of going and doing what we need to do. Can you tell us a little bit about yourself? Yeah, I'm an engineer on Dance Team at Google and I love things all related to like privacy and security. I have like a big hobby about math and cryptography. So I feel like it was right for me to double check what they're doing is sound. Yeah, I'm really excited to catch and make any stakes and figure out what happens. All righty, so let's keep this moving over here. Dan, what are we doing first? Who's sharing the screens first? Let's go, let's make this rain. Yeah, so, Azra, you've got some slides and stuff explaining how the process works. But the first step here is that we're all going to be setting up and adding our public keys to the GitHub repository. So it's at sigstore slash root hyphen signing, which you should make in the chat. Thank you for one second. Dan, can we speak real quick just to make sure you're around? For sure. Oh yeah, hi guys, hi, hi. Perfect. Can you hear me? Yes. Great, thanks. Don't know what happened, but yeah, there we go. OK. Awesome. So Azra shows an overview of the repo and what's happening. This first step is important. This is the one where we get the actual public keys published in GitHub. And so we're going to do this normal open source project. There's going to be five PRs that get sent up with all of our public keys. And we're going to do some verifications using the new keys that we're going to be taking out of our packages live. Everybody can watch that they're brand new on the stream. And we will be adding them to the repository that way. Once everything is checked out, we'll merge those PRs correctly, and then we can start the signing process. So everybody, the scripts that we're going to be running, you can follow along by watching or in the scripts directory. We're going to be starting out with step one. So take out your keys, everybody. Brand new Yubiquis here. Awesome. Take them out, plug them in, and run step one. And if all goes well. Hold please, hold please. Hold them up again. Witnesses, please verify that all of them have it up there. We need serial numbers. Come on. Look, look, look, look, look, look, yeah, let's, yeah. What are those serial numbers? Look, Dan, we were in a big operation over here. We have to make sure that we, this is all good. We need to take a picture. Someone take a screen cap right now. Yeah. All right. Nice. Did someone mention there'd be prizes for the verifiers? Oh, yeah. Now's your chance to really prove yourself. Yeah, that's a good one. Once you get these up, we can talk about the prizes. So also, while we're doing this, to make sure this isn't recorded and everything, as we're proving these, the verifiers are going to be asking us some tricky questions to test us and make sure that we are doing this live. Wait until we get these up so you don't distract us from running these complicated git commands, and then we should be good to go. Folks at home, are you able to see the screen OK? I just want to make sure. Just give me a thumbs up in the chat. If you need us to make it a little larger, we can also do that. I think they're more upset that we are not serving pineapple pizzas. OK, moving on, moving on, everyone, moving on. I know who it is. Magno, I'm kicking you out of this chat. I'm telling you, I have that power now, all right? I'm out of here, guy. All right, now I'm just kidding. I was hoping for some fryhawk for cookies. No real trust. Right there. Azra, right there. All right, good. So my PR is created with my key inside of it. Yeah, let's go check it out. All right, so. Anyone following at home? Let's just make sure we give the URL so everybody knows where to go. Yeah, you can github.com. Slash six stores slash root dash signing. So if you go to pull requests, people will start trickling in theirs. And what I'm going to do is I am going to act as verifier here. So, oh, that's great. See, I passed. I'll pass right there. So what hard work should we're going to be doing right now? If you want like a rough overview, feel free to read this on your own time. But this verification script that I'm going to run is going to check that the search added in dance PR, which I'll show you in just a second, are all changed, valid. And then after that, I'll just be doing some manual checks to make sure that Dan didn't post something on the side that doesn't match up. So all right, so what you need to do is if you want to follow along, by the way, and run these things, all you need to do is clone and fork the directory, go in there, and then follow along with the commands that I'm doing. So what I'm going to do is I'm going to verify PR number two right here. Nice, I see some thumbs up. Thank you for those. What I get is verify 0, 7, 8, 7, 7, 8. Going to the PR, seeing what files he added, looks to line up with the serial number right there. So what I'm doing is verifying the search chain that he added from the key cert to the device cert all the way up to Ubicode's root cert. Then what I'm just going to do just to show you this first one, we can manually verify with OpenSSL. So if you copy and paste these commands in here, you'll see that it verifies OK. And what I want to show you right now is if I go in and take the key certificate, print that out, I'll get the PEM encoded key certificate, which should line up with this pub key that I see right here. So this is the kind of verification we're doing. We're extracting out the serial number, making sure it lines up with the directory and verifying this chain. All this does is verify that Dan did, in fact, generate the public key on the device. So I'm going to go give this an LGTM right here, approve that. Again, if you do this, feel free to leave a comment, LGTM it. We're going to give out prizers to random people who are verifying. So feel free to add in your output. I'm going to go ahead in the background and continue verifying things. Feel free to watch. Yeah, and Magno had exactly what we have these special guests here for, so we should all show today's printed newspaper. I don't know about you, but I don't have newspapers. So that's why we brought Mike and Trishonk and Steven. So you all have some questions for us, right? Yeah, yeah, sure. Mike, do you want to start first? Sure. Let's start with Dan, since you're our host here. Can you visit reddit.com, maybe do an incognito. I want a logged out. And tell me what the number one story is on Reddit right now and how many of those? This could be potentially dangerous. That's a really interesting question. All right, I got a question. What's your story? It says on the top of reddit.com, there are 59.7000 points or votes. Your consciousness is sent back to when you were at age 15 and you maintain all of your current knowledge and experience. What do you do? Is it a deep question? That is what I see. I vouch for this. This is actually true. Wow, that's hilarious. Can you answer the question? Anybody? Yeah. Oh, man. What do I do? Buy Bitcoin. Yeah, buy Tesla. If you can answer, it's not legit. Yeah, I just want to chime in. The reason why there was one close from 15 minutes ago was a test run because GitHub Actions was out. So feel free to discard that. That was, I think, Dan's previous key. So there was nothing pushed to the repo. Yeah, we cleared the repos before this. There's an archived copy, actually, so we did a whole bunch of test runs. We should mention this. There's an archived repo called six-door root signing practice where we did all of our previous test runs with different keys. And then we archived that one. We did it, renamed it over to here. And then we did a couple of tests around 15 minutes before this started because CI never works the first time in a repo. That's the law of CI. And of course, GitHub Actions was down at the time, so the law was proved correct. But it came back as we started this ceremony. There's a somebody named Kim Sturves says, answer the question, Dan. Did you answer the question? Stop stalling. I don't know what it was. Let's get back. Trashank actually sent me a private message. He's very upset. He's just not sure. My consciousness has sent back to when you were at age 50. So I'm not sure I understand the question. I'm loving all these verifications, everyone. Love it. And then the prizes for verifiers, we have these YubiKey experience packs. So if you want these, it's fancy inside. You get a whole bunch of different keys. These are some of the same ones we're using today. So verifiers, keep going. So Dan, I think what the question is really trying to say in red, it is, if you could go back to 15, would you huddle and buy a Bitcoin? What would you do with your life savings? I don't know how much you had in a piggy bank back then. Yeah, it probably would have been enough if I put it into Bitcoin or something like that to be useful today, as long as I got out at the right time. Just kind of shucking everybody says, I want to brush my teeth more or something like that. Like that's a tough answer in red. Wait, what? Everything you want to come up with? Where sunscreen is one of those answers? Oh, yeah, that was a famous song to that effect. I forgot by whom, Baz Lerman or something. All right, are we good for a step? Matt Lerman. All right. I have another question if we're ready for one. Maybe I'll give this a look. What is the current temperature in Tokyo? Oh, OK. But he needs to go to Tokyo. Googling it doesn't count. So keep in mind, 21 centigrade. And it's raining. It's 3 AM in Tokyo. Just what I see here. I just switched the camera. Much information. If you want to chime in CTL Fish, I think, how do we publish that verify? Six needed. Go ahead and give a comment. Show you what you did. Any extra commands you did? Yeah. If you have a GitHub account, feel free to comment right here. I'm going to go ahead and start merging the ones with multiple approvals. And then we'll move on whenever ready. What's with all the pineapple pizza hate? This is going down in history. Like, this is like irrevocable right now. It's a wonderful day to be alive. So let's move on and do what we need to do. No more pineapple. All right, so once these all get merged, one person will run step 1.5, which just kind of joins these up into one file. And then we'll start signing after that. Osr did a bunch of awesome work here to figure out how to do all this in a way that would be free of get merged conflicts so that we could do this in parallel instead of all having to go one at a time. Osr, the true hero up today. You all are great. Osr, props, you know, right here. I'm so glad that all this verification is working for other people besides me because I was seriously concerned. It's like five people rooted in one person. So who's going to do step 1.5? We should get the chat to vote. Yeah, yeah, anybody want to elect someone? It's a great idea. Any volunteers? Who's up? Who wants to volunteer? Everybody was all about the pineapple. You can't get it. Immerse yourself in this. Process, you all. For God's sake. OK, but I'm the one that stuff breaks on. Hold on, Luke. The people have spoken. Mike, Mike. Oh, yeah, OK. Now he's really key holder. Mike, are you set up for the GitHub repository or do you want to pass that on to someone else? You know, I haven't pulled. If that's all I need, I've been verifying and running the verify scripts. So tell me what look at here. I was in the middle of verifying, but I can try. All you need to do is run script step 1.5 I'm not going to run it. But if this is a step that anyone can run because all it does is collect all the data that the 5p holders let us have. And after I run it, you'll just see a pull request window open up. And that'll, yeah, just click the rewind line. I'm running it right now. You might have to set your GitHub username and stuff so we can send the pull request correctly, but. I got an error dot slash tough no such file or directory. Do I need to? Yeah, give me the tip zero. Step zero to set up. We'll let it happen. Sometimes it's going to go cash. This Dan here is the only good thing to come from the pandemic. Wow. He's talking about my hair, Dan. Clearly, clearly. So that could take a bit of time to pull in all the. Yeah, you're going to have to stop. All right, should we go for somebody up now? You want to go to somebody else or what's our story? What are we doing? Your screen is shared. Or you could just do it so people can watch. Yeah, I'll go for it. I think I should have step zero in here already done from before. Yep, all right. And let's go for step 1.5. Watch it live happen. Cross your fingers. All righty, just pushing. And I'm going to open up this new branch. Sorry about this. You know what? I'm just going to go here. Click on that link. There we go. Set up the route. Let's compare it. Dan, I think I'm sorry, Dan. I think you got to do it. What happened? There's a question from Jacques Chester. And the question is, it's a valid question or thought, is action, is can we show the script source in the screen share for posterity? Yeah, yeah, go for it. I'll do that. Dan, you mind running it and I'll show the script? Sure. Yeah, what happened when you ran it? Just curious. My branch from the deletion. Yeah. So yeah, so basically what's going on is if I go into scripts right here and I'll show you step 1.5 that Dan is running in the background over here, we're setting up our get state. And then over here, we're running this tough in it repository with the four targets that we're adding to the metadata. The targets are right here. This is also a good point for verifiers to go and check. But what we have here is the RECORP public key, which you can find on RECORP.6store.dev slash API slash V1 slash log slash public key. So you can actually download the public key. I know that was a garbage mess, but this is the public key. And you can also go ahead, find the full CO certificate. That's shown right here on our full CO repository. So these are the targets that we're verifying. And so can you show the script source? Yeah, so let me show you the actual like tough binary source. And I'll just display that until I merge that PR. Jacques, and I also want you to go ahead and give a thumbs up after she's done that. So we've satisfied that question for you. Not very satisfying. We're going to do a little bit of a source dive. This is the actual command. And then the init script right here, so it's a mess. But it's setting up a bunch of JSON right here. We're adding lots of expirations. Let's go ahead and check the source. I'll keep that displayed. Let's go back to root signing. All right, setting up the root. So let's go ahead and check what's going on here. Verifiers, please go ahead and verify that we have five placeholder signatures. Our expirations in about six months. We've got our five keys here with the Shahs matching up with the public keys. And we've got five root keys with a threshold of three for each top level role here. So expirations look good. Yeah, good question. It depends on the threshold. Yep. Yep, threshold is three out of five. For safety reasons, we're just signing all five today just because we can. It's good always to have all of us here. And then these are the targets that we're just adding, which I just showed you before. So yeah, verifiers, if you go ahead, verify a couple of those things. That'd be great. Yeah, so the three out of the five is our threshold for us to make any changes to this. We have to have three signatures from these keys. And it is good for six months. So sometime in the next six months, we have to do this again. And that's when we'll all start doing, you know, rotating people in and out. So yeah, we can't all get on a plane together in the next four months. But we'll be kind of rotating these things forever. There's a question. How are you going to protect your Yubi keys? Do you have backups in case your keys are lost, or destroyed, or stolen? That's from Andrea Deidre. I've got a big dog. There's your answer. That's a good question. Yeah, so we all have backups and to, you know, rotate one of these out to a certain backup. We would have to get the other four, or at least three out of the other four people to signify that that is the new correct one. So if two of us lose them at the same time, we're still good. If three do, then it's bad. So we've got to meet pretty quickly and refresh a backup if somebody does lose one. Yeah, thanks for running the verification script. As you can see, this combined all of the five public keys that were previously verified. So I'm going to go ahead and merge this so we can move on to some more signing steps. Sound good, everyone? Looks good to me. Looks good to me. I know. Always be closing, Augustus. Always be closing. Always be closing. All right, time for step two. So we're in round two right here. We're going to start signing things. We're not playing today, everybody. We're in round two. All right, you at home, following home. By the way, loving the interactivity, you all awesome, keep it up. We're enjoying this a lot. So round two is the actual goods now. Maybe Azra, if you could help explain what's going on here, that would be great. Yeah, let me pull up some of that draft metadata that we have committed. So in these three signing phases that we're doing right now, we're doing a first to sign the root and target. So the root is going to attest to the five root keys that we have. And the targets are going to attest to the four targets that we've added. The RECOR public key, the CTFE key, the full CO root CA, and our artifact signing key that we've been signing our releases with. So if you ever doubt us in the future for any of those four things, you can always come back to this metadata and verify that you indeed saw the ceremony. So what we're going to be doing is signing these sequentially because the later snapshot and timestamps depend on the previous results. So we're going to be signing these. Let me show you real quick. So we have some staged metadata just added from that previous step. Here's the root.json and people as they trickle in their PRs are going to be filling in the signature field that corresponds to their key ID. What you can do is you can choose a person along the way, choose your favorite key holder and take a look at the signature or key ID that they have and follow along theirs, you know, and check Marina's. Let's see, we got some PRs trickling in. Oh my God, you guys are fast. All right, so. And Jacques wants to see the source for number two as well. You can also just sort of get hash or the get commit hash two for each one of these steps. There's another ask from Jacques who's now my favorite in the chat. I saw a source for 1.5 in the Tough Cli. Can we show two please? Yeah, I'll go for it. So let me just show you real quick. You know what, that's great. I'm glad that I'll just pull up. Dider is a verification here and I'll show you the source. So the source for step two. What this is doing is signing repository for roles root and target, like I just mentioned before. And as you can see on the right-hand side, Santiago just added one out of three of the threshold signatures for root and targets. So this is what we expect. Yeah, and then people can go ahead, keep verifying those. I'm gonna verify, or I'm gonna wait to merge all of them until we get like one or two LDTMs. And let me go ahead and show you some of the source code here. So this is in MD Tough App and sign. All right, so this is what it is. Actually, this one's really simple. So we're gonna get the payload out that we're signing, canonicalize it, and then sign it. Then we're gonna add your signature to your particular key ID and then set the metadata. So this one's very simple. Let's go ahead and see if people can verify. So yeah, I just verified Santiago's. I'll give that an LGTM. So yeah, please trickle in those LGTMs. Any other questions for us to make sure it's still today and we didn't splice the video? I'd expect as much from Luke Hines though. He's so shifty, y'all, so shifty. All right, I have one. Mike, go for it, go for it. Who's looking for something to do? How about, let's see, where did Dan and Luke, Santiago? Okay, how can I help you? We're gonna look at the current price of horn on the Chicago Mercantile Exchange. So if you could go to- I'm sorry, this is because I'm close to Chicago. Should I go on the street and ask? If you could go to cmegroup.com. Group.com. So in the end, we're gonna need to get a Bloomberg terminal now. I should. And you're gonna, there's gonna be a search, you know, magnifying glass up towards the upper right. They got it. I think it's corn. And it's gonna suggest corn feature quotes. Corn features. Click that. Are people speculating with, of course they're speculating with the price of corn, right? It's like trading places. Remember that movie? Trading Places? No, I did not. Okay, I don't even know what I'm looking at. Should I tell you my number? I'll tell you what I need to hear. So you should land on a page. You got sort of a blue header and there are gonna be some letters and numbers, like, you know, a couple inches down. Read out. There's a thing that's called the Globex code. That's basically a ticker. I think it's Z, C, Z1. And then last five, six. Corpostrophe six. Yep. And then what's the volume? All of this, 173,159. Right. And that's what I see. And on that page, just for posterity, they label that as of June 18th, 2021 at 119 p.m. C.T. So there should be a good log of that. For anybody that's taking this in the future. All right, should we merge these? Yeah, I'm super thrilled. I'm seeing some repeated verifiers here. Alrighty. Someone needs to go and verify. Let me check Santiago. Santiago seems a little dubious to me. All right, we got one verifier in there. I call in the chat, come and verify number four. Dan, you're always getting like 10 plus verifications. Like either people really trust you or they're really skeptical. They trust us here. The opposite. They trust us here. Agastas, you said that too? Yeah, yeah. That's his root of trust, right? Roots of trust. If they trusted me, they wouldn't be verifying. So I think I'm the least trustworthy. So somebody in the chat asked about the price of tortillas. I think it's 11 pesos, am I right? Mexico City? Is that something you can just look up? Yeah. I think it would have a price of corn. It's a cross-currant corn, right? Current vaccination rates for Italy. Dose is given 2.5 billion, fully vaccinated, 748 million, which is 9.6% of the population fully vaccinated. I said population. I was gonna ask that, but somebody ruined the question for me. Are people like viewing how strange my GitHub is acting? Like, this is on the record now. Watch this trick. Let's see if it happens. Didn't work this time. Passion validation. Yep. It must have been the Netflix intern. Oh my God. Integration test number two starts today. Okay, so what email? So here's a question to verify. What email did anyone of you get a funny email from a 13th streaming company yesterday and which one was it? I mean, I got it, but... Nice one, Marina, you have... You can name names live. No name names. Yeah, yeah, exactly. Yeah, it was from HBO Max. That was hilarious. So they actually, it looks like a poor intern or somebody managed to email everyone about the integration test. Very nice, very glad it worked. Kind of get more integrated in that, right? Are we all merged? Time for step three. Yep. I just pulled up the code preemptively expecting that. So yeah, right now we're gonna move on after roles and target. We're moving on to snapshot right here. So this is with a script that they're running. Step number three, signing the snapshot. So same code as before, just with a different file. We're back on round three. Ding, ding. Fight. And all right, who's gonna go first? Wow, already 12 seconds to remember you two. You guys are fast, that's crazy. So again, these last two rounds are all pretty much the same. I just wanna show this one cool thing. Now that we merged all the root and targets, we currently have success for all of the signatures validated on root and targets. So now with Marina's PR number 13, she's added a signature on snapshot. The really cool thing is, I would love to see a verifier in the chat, verify that this SHA 512 lines up with the root.json that's in the GitHub repo. Props to you, if you can add a comment saying, like, you know, showing the output of what you did to get that matching SHA, like, I will like your, I don't have authority to give prizes, but like if I did, I would. I, could you take a look at a Bob Calloway's, it's a little suspect, his PR, thanks. Yeah, yeah, I'll go check. Thank you very much. He's been a little quiet. Yeah, nobody's gonna notice me. I'll turn my camera off. You're number 16, all right. So I've got one. Yay! All right, I want Bob to go to github.com, Kubernetes, Kubernetes and read the last commit SHA for us. The only thing that changes faster than the price of corn by Chicago Market Tile Exchange. Ha ha ha ha! All right, last one merged in was four alpha, Frank Bob, seven two alpha. All right, you're the same thing. That commit is a part of history. Yeah, like I said, when I go back and check for approvals and merges, would love to see someone verify that the SHA for root.json and the repo matches the ones that are in the pull requests. Santiago's a little sus right now. Ha ha ha ha! Always is. It's just a long meeting, just got me thinking. So Dan, what's the plan for key rotation? What's the plan for it? Oh, that's a, got somebody in mind. I don't know if we wanna spoil the special announcement just yet. Is it special, is it like a surprise? It could be, yeah. The four month window though does line up pretty well with KubeCon if people are gonna be there. There'll be a reveal, and there'll also be a haircut. There could be, it doesn't happen. How are we doing on views right now? We are at 75, this is actually a record for the first two weeks of the launch of CloudNative TV. So thank you all for joining, appreciate it. See, I have no problem with the haircut there. My real problem is that now I have to wait three more months to get my haircut at all. I'm gonna go ahead and merge the ones with the most comments. I'm actively checking how people are verifying. I see lots of script verifications, just great. Oop, there's a request. Pineapple pizzas from the CSF, that one? No, no, Magma's getting kicked out, she's out, she's out. Oh, oh, what's that? I'm gonna take the keys 90 degrees. Nice! That is Tiziano. Can you all rotate your keys 90 degrees clockwise? What the? I'm gonna rotate my whole computer. I see Jay Chester, I just wanna give you a shout out. Thank you so much for checking that shot. Yeah, all of them, nice. All right, I see some getting merged. Yep, prepare yourself, we've got one more signing round to go. Okay, I have a question to verify that we're actually doing this today. What's the price of Bitcoin right now? Or should we go for Dodgecoin? Whatever you like. Who's next? Yeah, there's coin, there's coin. I think Bob's gonna go. Bob? Yeah, Bob, what's the price of Dodgecoin? Is it Moon and Lambos yet? Let's see here. I'm trying to see when I can retire. According to coin desk, it is 0.285892. Is that good, does anyone know? Looks like it's gone down today. Oh no, like 6.57%, yeah, yeah, you're right. Tiz is here. That is insane. Well, good thing I wouldn't put my 401k in there. I'd in here. What it is, Elon Musk knows about this ceremony, so he's going out of tweet to get the price to drop. Elon, yes, let's call Elon. We validate that. Trashank did that on purpose so he can short it, and he can make some money off of it. All right, there's a question actually. There's a question here, is where is the root key itself stored? Let me show you. All right, so these were the keys that were just added by the first round where they were provisioning keys. And when you go to the staged repo and you take a look at root.json, if you scroll down over here, the root.json is the thing that's actually signing off on the root itself. So in all of these, we'll see keys right here that we're signing. These are the key IDs, and this is the public key value that corresponds to this public key right here. So you can go ahead and also verify that the Shahs line up there. But yeah, these are the actual keys involved and they line up with the keys that are published in this keys directory. Yeah, and we're using hardware tokens here. So the private keys are actually on the tokens. They're generated there. They can't be removed from the tokens. The stuff we did in step one used device attestations from the tokens to prove that. So you can check these keys against the certificates in step one to chain it all the way back to the manufacturer. So there's no single one root key. All the root keys are on the devices. Yeah, and I started seeing some timestamp ones. So I just outputted the script that they just ran step four and that was signing the timestamp roll. And as you can see, Cepenado left some verification on marinas and now we have a assigned route, assigned snapshot and assigned targets. And this PR adds one valid signature to the timestamp and we go ahead and check. And voila, there it is. And we have a hash of the snapshot file, which again, totally welcome to verify. So let's go ahead and verify that. Verify PR number 18. And so this is the last step. Once all of these are merged, we just copy it over to a published directory. I think it's called and that marks it as done. Yeah, the nice thing about this is that you have a total log now of and video proof of anyone who did something to this repo. So if you need to come find us and blame us for something. You know who we are. And then the final step when we're all done with this is to, the final step when we're all done with this and it's all public is for everybody to click fork and update your forks. So that way you're making independent copies that are all verified with Shah's back. So if we ever try to rewrite history or anything, we'll have all these different records across. Yeah, I just wanted to comment that this is a really cool thing that you guys are doing. There's very few public key ceremonies, nevermind private ones. No one really talks about it. So I'm really glad you guys are doing this in the open so that other people can look and learn from you guys and even do their own in the public. I think it's a great idea. Yeah, I'm getting ideas. I'm getting ideas over here for Kubernetes. You know where there's a great place for you all to do these things on? CloudNative.tv. Ah! It's good to see everyone. Paula? So we did ours with Git and GitHub. For the Kubernetes one, can we use kubectl and CRDs? I don't want to talk about that. You heard it here first, everyone. You heard it here first. Augustus is committing to a search ceremony live at KubeCon. You heard it here first. Yeah. Can we tweak this later? We're live, right? We are live. Is this live? Hey, Luke. Oh, we're doing a step four, aren't we? Luke, one, two, three. OK. Marina, you've been styling this whole time. I kind of want to get a pulse from you. How are you feeling about the whole thing? Are you good? Any thoughts? I'm good. Yeah, just running some scripts over here. OK. Marina, I shut up. Have we done proof that you're live here yet? I don't think we have. It's a good point. It's a good question. I've got a good question. OK. We're going to figure out where a particular flight is right now. So cool. Wow. FlightAware.com. OK. I looked up a flight before this. It's a flight from Dubai to Minsk. So up top, there's a search bar. Type in FDB1715. OK, fly you by. Yeah. Find it. OK. On the right, there's a section that says flight details and a link right under it that says view track log. OK, so we'll hear the track log. Scroll all the way to the bottom and it'll give the most recent lat long for that flight. Can you read the time, the latitude and longitude? OK, so the most recent time I see is Friday at 2.47, 23 PM Eastern time. And then the latitude is 42.9029. And the longitude is 33.6894. And it's heading 292 degrees left. I don't know what that means. But yeah. Mike, this is amazing. Amazing level of verifying. Yeah, exactly. You're not worried about your personal fortune, like Tashank is. You're worried about the flight paths and all that. I thought you were going to ask for Oceanic 815, Mike. Where is that flight? I've just had a great idea for the flight. That'd be great. You had a really good idea for a verification. I know this is sort of coming off the cuff, so to say. Somebody open a Twitter page, put an OTP code in, and then post it as a tweet. There we go. Exactly. Deep timestamp, then. Now the audience is being really cheeky. The only one is to do a reverse during test. I always fell that long. And Dan, I think needs to explain, is Oceania a flight? Yeah, that was the flight from loss to the TV show. The flight that just disappeared, I thought. Are you watching the loss in Malaysia one? And also the flight? Somebody did. Yeah, I was afraid someone was going to ask about MH37. Very sad. Yeah. All right, I'm happy to report the team and I have successfully verified round four. What do we do? Do we all fork now? No. Hey, can we, Azra, can we go through just a recap? There we go. Yep. Yep. So we got up to round four. So after provisioning the keys that you saw in the keys directory, we created that tougher repository, did three rounds of signing sequentially on the four roles that we have. And now we're on this final publishing step. So we need one person from the key holders to run step five, which I will show you again what they are going to run. So let me go over here. Show you step five. And all that does is publish the repository. And I will show you again the script. So yeah, who's going to do that? I did it. All right. So yeah, this is all it does. It goes through the code go tough repo.commit, which will verify all the signatures and push it to like a repository. So it's no longer going to be staged. And this is our final step. If you run verify on this, now what we're going to be doing is taking the go tough client and seeing if you can successfully verify and download the targets with that. So you'll see some special output. First verifier, I'll give a shout out too. All right. Let's take a look at this. So yeah, basically what it did, it moved it all to a repository rather than stage. root.json. And we got a move here, file renamed with no changes. Good job, Jen. I trust you. Didn't sneak any weird binary files in here. And let's take a look at Verify. Nice. All right. So we've strong.jz posted what happened when you did. Let's do script.jz. Shout out to James Strong. Yeah. And Carlos, of course. Carlos, the man beast. So here you see the four targets successfully retrieved and verified against that metadata that we just created together. All right. Yeah, that was the final step. I'm going to get a couple more verifications on this. And then, yeah, we're really good to go. Fork, tweet, publish. Give me a shout out. There's a question. Excuse me, there a thought here. This video is not legit until somebody's pet interrupts the live stream. Anybody's pet, please go ahead and interrupt the live stream. OK? I'm going to get one. Somebody. Oh, yeah, he has a large dog. He's guarding his Yubiki. This is awesome. There we go. Pets, everyone. And again, right there. She's like, you woke me up from a nap just to do this. Can we all do a stand and go for Azra, please? Can we all just seriously? Great job. Can we swallow our Yubiki? I got a second. OK, looks at home. Can somebody wrap up everything we did in a TLDR? Are we good? Let's just put a bow on it. Who else will go next? Yeah, we are. You want to go ahead? You're good. Yeah, so we're all done. As soon as this gets merged, we have the root. Everybody, click Fork. Copy it off of GitHub, clone it, put it on GitLab, put it on your flash drives, put it anywhere you can. We now have the root, and everything we do will be chained back to this one. I want to thank Azra for being the coordinator for all of this. Thank Dan and CloudNativeTV, of course. Follow this for other awesome shows. How many viewers did we hit? What was our record? 80. 80, is that a new record? It's a record. Awesome, wow. Yeah, and thanks everybody here for verifying. This was awesome. And everyone, look, I was not mincing words when I said, like all jokes aside, we had a lot of fun today, but this was a monumental thing. I don't think this has ever been done elsewhere. This has been in public. I am so excited to be part of this, but this group has been fantastic. Also, you folks at home that were part of this, it's just great, really good interactivity and all of that. So it was a really cool process, everyone. Thank you all. I'm going to have some parting words here. Real quick, just for next week, you all, just so I will thank you. So everyone, again, I'm closing with today. This weekend, the holiday is called Juneteenth. It's a day of recognition, education, and celebration. I want us to ensure that we're thinking in terms of taking care of one another and being the community that we are. We are one large community, one large community. I want to thank everybody that was part of the six-door key ceremony, and I want you to remember community. The spotlight is on you.