Add (yubi)key authenticity validation #1364
Description
As part of the tuf-on-ci migration we're removing the "authenticity verification scripts" that prove that a cryptographic key is on an actual Yubikey (instead of being a non-hw key or a non-yubikey hardware key).
The feature might still make sense (even if I'm not fully convinced we should only ever require Yubikeys) so let's evaluate options:
- we could write new code like the "verify key" command in the legacy root-signing -- note that this had the flaw that it did not actually verify that the keys in metadata were authentic, user had to compare private keys manually for that
- more useful would be some level of integration into signing event:
- If we want to enforce Yubikeys, then a workflow in the signing event should fail if a "authenticity proof" is missing for a key
- accepting an invitation to become a signer should somehow include the authenticity proof -- even if it's just a request to add a file into the PR manually
- There are two levels of possible integration I see:
- the authenticity proof could be included in metadata: support PIV attestation secure-systems-lab/securesystemslib#623 (comment) -- this way the repository could always verify the authenticity easily and we would not have to maintain extra files that will inevitably go stale. The signers would not have to do anything, new keys would just automatically include the proof
- or we could dump the authenticity proofs elsewhere -- separate directory in git like they used to be, or even just as a comment in the signing event. This means we make the verification just part of "new signer" process documentation, not part of automated tooling
- yubico provides a web page https://www.yubico.com/genuine/ and tools (
ykman piv keys attest 9c -) to do parts of this