►
From YouTube: Spotlight Live - Sigstore Root Key Ceremony
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
A
All
right,
you
all,
I
bet
you're
wondering
about
the
hair,
but
I'll
get
to
that
in
a
moment,
all
right.
So,
first
off,
I
want
to
thank
the
cncf
for
allowing
us
to
do
this.
Tough
is
one
of
the
projects
that
we're
gonna
that's
being
used
as
part
of
the
the
the
process
processing
ceremony
today.
So
it's
cool,
and
it's
awesome
again.
A
Thank
you
to
the
the
cloud
native
computing
foundation,
and
so
I
want
to
go
through
the
cncf
disclaimer
first,
so
that
this
is
an
official
live
stream
of
the
cncf
and
as
such
is
subject
to
the
cncf
code
of
conduct.
Please
do
not
add
anything
to
the
chat
or
questions
that
would
be
in
violation
of
that
code
of
convent
conduct.
So
basically,
please
be
respectful
of
all
all
right,
so
the
hair
I'm
gonna,
bring
in
the
first
guess.
It's
kind
of
the
the
master
master
ceremonies
are
the
leader
here.
A
For
this
event,
it's
dan
lawrence,
so
dan
spotlight's
on
you,
my
friend,
am
I
using
my
cliche
over
and
over
again
I'm
using
my
like
tagline
spotlight.
All
right.
I
like
those
like
you
know
how
you
inspired.
I
grew
up
my
hair
this
week.
I
was
like
look
dude.
I
need
to
catch
up
with
you,
so
what
do
you
think?
Is
it
good
yeah.
B
A
You
see
you
see
what
I
do.
This
is
what
I
wanted
to
do
for
the
for
this
sig
store
root
ceremony
I
wanted
to
like
bring
my
a
game,
grow
out,
some
hair,
all
that
kind
of
stuff
right
all
right.
So
so
listen
like
we,
we
there,
you
wrote
a
blog
post
about
this.
I
kind
of
want
to
talk
about
just
like
the
whole
overall
process.
Can
you
can
we
talk
about?
What's
going
to
go
on
today?
Is
that
cool.
B
Yeah
sure
I'll
give
a
quick
overview
of
what's
going
to
be
happening,
who's
going
to
be
joining
us
and
all
that
stuff
yeah.
C
B
We're
looking
here,
you
can
see
kind
of
an
overview
of
the
process
and
everything
we're
going
through
today,
but
at
a
high
level.
What
we're
doing
is
establishing
a
root
of
trust
for
the
entire
stage
store
project.
B
So
this
is
a
bunch
of
different
cryptographic
keys
that
we're
going
to
be
putting
together
into
one
file
at
a
high
level,
and
then
each
key
is
going
to
sign
that
entire
file,
so
we're
going
to
have
five
keys
and
five
signatures
over
that
file,
and
what
this
is
going
to
do
is
give
us
the
root
for
everything
else.
We're
going
to
be
signing
and
distributing
and
logging
for
entire
sig
store
project.
B
The
goal
stick
store
is
to
improve
supply
chain
security
for
all
of
open
source,
and
so
what
this
actually
means
is
that
we're
going
to
be
opening
up
this
route
for
other
open
source
projects
to
use
as
well,
and
so
we're
doing
this.
This
is
for
open
source.
So
we're
doing
this
just
like
open
source
is
meant
to
be
we're
doing
this
as
a
community
effort,
which
means
we
had
to
design
this
a
little
bit
differently
than
most
key
ceremonies.
B
So
there
are
five
of
us
joining
today
from
different
projects,
different
communities,
different
companies,
different
industries
and
we're
all
going
to
be
taking
our
brand
new
yuba
keys
out
of
the
package
live
here,
showing
that
we're
doing
all
this
correctly
doing
this
process.
There
are
five
different
steps:
we're
going
to
be
going
through
to
add
these
keys
sign
all
these
keys
into
everything
on
github
and
the
audience
is
supposed
to
participate.
B
Today
we
need
people
to
verify
these
steps
as
we
go
especially
today,
because
github
actions
has
decided
to
take
the
afternoon
off
hug
ups
to
all
the
github
actions.
Esther
he's
trying
to
get
this
back
up,
but
yeah
we've
got
some
manual
commands
that
we're
going
to
be
showing
and
people
at
home
can
thumbs
up
lgtmr
and
prs
post
their
outputs
and
stuff
to
help
verify
and
make
sure
we're
doing
all
this
correctly.
A
Fantastic
again,
it's
with
the
well
oil
machine
we
have
today
and
with
that,
let's
bring
in
the
rest
of
our
key
folks.
Alright.
So
I'm
going
to
start
with
marina,
hey
marie
before
you
I'm
going
to
bring
in
everybody
else
as
well,
I'm
going
to
bring
in
the
folks.
So
it's
going
to
be
santiago
and
bob
wallaway
and
luke
hines.
Let
me
get
rid
of
this
caption
here:
real
quick,
all
right,
y'all,
hey
state
your
name
and
tell
us
a
little
bit
about
yourself.
D
C
I
am
santiago
police,
I
am
a
assistant
professor
of
ece
at
purdue
university
and
I
care
about
making
sure
that
people
produce
software
securely
and
the
people
consume
software
security
and
I
think
part
of
that
whole
picture
is
being
here
and
making
sure
that
we
have
a
way
to
trust
how
software
delivery
pipelines
work.
A
Fantastic
okay,
bob
you're
up
next
thanks.
E
Hey
folks,
bob
callaway,
a
software
engineer
at
red
hat
also
one
of
the
steering
committee
members
for
six
store
super
excited
about
kicking
this
off
today
and
kind
of
seeing
the
six
door
project
flourish.
A
F
Yeah
sure
yeah,
so
it's
great
to
be
here,
really
excited
about
this.
Yes,
so
luke
hines,
I
work
at
red
hat
in
the
cto
office,
have
a
security
engineering
team
that
we
that
we
have
there
and
yeah.
I
kind
of
worked
around
open
source
and
security
for
a
long
long
time
now.
Another
project
I
work
on
and
help
get
off.
The
ground
is
keyline,
so
it's
another
cncf
security
project
and
and
yeah
it's
just
great
to
be
with
these
folks.
You
know
I
consider
them
friends.
Now
you
know
we've.
F
It's
been
really
a
lot
of
fun,
building
this
project
and
very
much
a
community
effort.
So
it's
great
to
see
this.
This
get
off
fantastic.
A
B
This
is
it;
this
is
the
initial
five.
So,
as
part
of
this,
we've
got
this
whole
rotation
process
and
kind
of
the
the
root
is
going
to
be
living
and
breathing,
just
like
a
normal
open
source
project.
So
this
is
the
first
five
for
the
first
four
months:
we're
going
to
be
meeting
again
right,
sometime
right,
around
kubecon,
los
angeles,
to
sign
the
next
one
rotate
somebody
out
and
that's
somebody
new
in
awe
our
power's
combined
in
the
chat,
yeah,
perfect.
A
So
folks
that
are
watching
this
now
we
have
72
folks
joining.
Thank
you
so
much.
It's
amazing
to
have
folks
joining
and
again
by
the
way,
follow
cloudnative.tv.
You
obviously
have
if
you're
chatting.
So
it's
awesome.
We
love
that.
We
have
a
lot
of
other
amazing
programming
here
as
well,
but
with
that
for
further
ado,
let's
bring
in
a
couple
of
the
witnesses,
so
explain
the
witnesses
part,
so
they
have
to
essentially
witness
you
all
taking
this
out
of
the
pocket
pack
packages
and
all
that
fun
stuff.
B
Close
yeah,
it's
it's
it's
a
it's!
It's
an
important
role,
so
the
the
cryptographic
keys
were
using
the
hardware,
tokens
and
stuff
can
produce
these
cryptographic
attestations
to
kind
of
make
sure
we're
doing
this
correctly
from
a
hardware
and
crypto
perspective.
But
this
is
about
the
community.
So
it's
about
knowing
who
we
are
making
sure
we're
who
we
say.
We
are
and
stuff
like
that.
So
we've
invited
some
special
guests
that
a
lot
of
people
here
probably
know
to
you,
know
authenticate
ourselves
say
we
are
who
we
say.
A
Yep,
it's
20
20,
again,
oops
yeah,
I'm
here
all
right,
so
it's
okay,
we're
gonna,
move
on
to
the
next
person
you're
here,
you're,
a
witness!
We
just
need
your
eyes,
not
your
voice,
okay,
so
it's
good,
we'll
roll
with
it
all
right.
So
we
have
next
up
mike
malone.
Tell
us
a
little
bit
about
yourself.
G
Hey
everybody
yeah,
I'm
mike
malone,
I'm
a
distributed
systems
and
security
nerd,
I'm
ceo
of
a
company
called
smallstep
we're
a
cloud
native
security
company
and
we
maintain
a
popular
open
source
tool
chain
for
internal
public
key
infrastructure.
So
today's
events
are
definitely
relevant
to
my
interests.
Thanks
for
having
me,
I'm
really
excited
to
be
here.
A
H
It
a
try,
hey,
I
heard
there
was
going
to
be
good
here
today,
so
I
had
to
pop
by
my
name
is
stephen
augustus.
I
am
the
head
of
open
source
for
cisco,
I'm
also
one
of
the
kubernetes
release
managers
and
secretly's
co-chair
so
hey.
I
again.
I
heard
there
was
going
to
be
good
here
and
maybe
snacks
or
something
like.
A
There
was
no
guarantee
of
snack
stand.
I
don't
know
what
you're
what
you're
saying
we
have
a
you
know.
We
have
a
kind
of
little
budget,
we
gotta
get
a
bigger
bunch.
You
got
more
people
watching
we'll
have
a
budget
all
right,
all
right
so
last,
but
certainly
you
know
this
is
kind
of
I
I
think
you're
pretty
much
like
the
hands-on
keyboard.
Am
I
right,
like
you're
gonna,
be
helping
out
everybody
and
kind
of
going
and
doing
what
we
need
to
do.
Can
you
tell
us
a
little
bit
about
yourself.
I
Yeah
I'm
an
engineer
on
dance
team
at
google
and
I
love
things
all
related
to
like
privacy
and
security.
I
have
like
a
big
hobby
about
math
and
cryptography,
so
I
feel
like
it
was
right
for
me
to
double
check.
What
they're
doing
is
is
sound
yeah,
I'm
really
excited
to
catch
them,
make
any
stakes
and
figure
out
what
happens.
A
B
J
A
C
A
B
Okay,
awesome,
yeah,
so
audrey
shows
an
overview
of
the
repo
and
what's
happening.
This
first
step
is
important.
This
is
the
one
where
we
get
the
actual
public
keys
published
in
github,
and
so
we're
going
to
do
this,
like
a
normal,
open
source
project.
There's
going
to
be
five
prs
that
gets
sent
up
with
all
of
our
public
keys
and
we're
going
to
do
some
verifications
and
using
the
yuba
keys
that
we're
going
to
be
taking
out
of
our
packages
live.
B
Everybody
can
watch
that
they're
brand
new
on
the
stream
and
we
will
be
adding
them
to
the
repository
that
way.
Once
everything
is
checked
out,
we'll
merge
those
pr's
correctly
and
then
we
can
start
the
signing
process.
So
everybody
the
scripts,
that
we're
going
to
be
running
you
can
follow
along
by
watching
or
in
the
scripts
directory.
We're
going
to
be
starting
out
with
step
one
so
take
out
your
keys.
Everybody
brand
new
yuba
keys
here
awesome,
take
them
out
plug
them
in
and
run
step
one
and
follow
up.
A
H
Yeah,
let's
yeah,
what
are
those
serial
numbers.
C
I
I
B
Yeah,
that's
a
that's
a
good
one.
Once
we
get
these
up,
we
can
talk
about
the
prizes
so
also,
while
we're
doing
this
to
make
sure
this
isn't
recorded
and
everything
as
we're
proving
these,
the
verifiers
are
going
to
be
asking
us
some
tricky
questions
to
test
us
and
make
sure
that
we
are
doing
this
live
so
wait
until
we
get
these
up.
So
you
don't
distract
us
from
any
complicated
git
commands
and
then
we
should
be
good
to
go.
A
A
I
I
So
what
hardware
kitchen
we're
gonna
be
doing
right
now,
if
you
want,
like
a
rough
overview,
feel
free
to
read
this
on
your
own
time,
but
this
verification
script
that
I'm
going
to
run
is
going
to
check
that
the
certs
added
in
dan's
pr,
which
we'll
show
you
in
just
a
second,
are
all
chained
valid
and
then,
after
that
I'll
just
be,
like
you
know,
doing
some
manual
checks
to
make
sure
that
dan
didn't
post
something
on
the
side
that
doesn't
match
up.
I
So
all
right.
So
what
you
need
to
do
is
if
you
want
to
follow
along
by
the
way
and
run
these
prints.
All
you
need
to
do
is
clone
and
fork
the
directory
go
in
there
and
then
follow
along
with
the
commands
that
I'm
doing
so,
what
I'm
gonna
do.
Is
I'm
gonna
verify
pr
number
two
right
here,
nice.
I
see
some
thumbs
up.
Thank
you
for
those.
I
I
run
this.
What
I
get
is
verify
zero,
seven,
eight,
seven,
seven,
eight
going
to
the
pr
seeing
what
files
he
added
looks
to
line
up
with
the
serial
number
right
there.
So
what
I'm
doing
is
verifying
by
verifying
the
search
chain
that
he
added
from
the
key
cert
to
the
device
cert
all
the
way
up
to
yubico's
root
cert,
then
what
I'm
just
going
to
do
just
to
kind
of
show
you
this
first
one
we
can
manually
verify
with
openssl.
I
So
if
you
copy
and
paste
these
commands
in
here,
you'll
see
that
it
verifies
okay,
and
what
I
want
to
show
you
right
now
is,
if
I
go
in
and
take
the
key
certificate
print
that
out
I'll
get
the
pem
encoded
key
certificate
which
should
line
up
with
this
pub
key
that
I
see
right
here.
So
this
is
the
kind
of
verification
we're
doing
we're
extracting
out
the
serial
number
making
sure
it
lines
up
with
the
directory
and
verifying
this
chain.
I
All
this
does
is
verify
that
dan
did
in
fact
generate
the
public
key
on
the
device,
so
I'm
gonna
go.
Give
this
an
lgtm
right
here
approve
that
again,
if
you
do
this
feel
free
to
leave
a
comment
lgtm
it
we're
gonna,
give
out
prizers
to
random
people
who
are
verifying
so
feel
free
to
add
in
your
output.
I'm
gonna
go
ahead
in
the
background
and
continue
verifying
things
feel
free
to
watch.
B
Yeah
and
magno
had
exactly
what
we
have
these
special
guests
here
for
so
we
should
all
show
today's
printed
newspaper.
I
don't
know
about
you,
but
I
don't
have
newspapers.
So
that's
why
we
brought
mike
and
trishank
and
steven.
So
you
all
have
some
questions
for
us
right.
J
Yeah
yeah
sure
mike
do
you
do
you
want
to
start
first.
G
Sure,
let's
start
with
dan
since
you're
you're,
our
your
host
here,
can
you
visit
reddit.com,
maybe.
C
G
B
It
says
on
the
top
of
reddit.com:
there
are
59.7
thousand
points
or
votes.
Your
consciousness
is
sent
back
to
when
you
were
at
age
15,
and
you
maintain
all
of
your
current
knowledge
and
experience.
What
do
you
do.
B
Oh
man,
what
do
I
do
buy.
K
I
Yeah
I
just
want
to
chime
in
the
reason
why
there
was
one
close
from
15
minutes
ago
was
a
test
run
because
github
actions
was
out
so
feel
free
to
discard
that
that
was,
I
think,
dan's
previously.
So
there
was
nothing
pushed
to
the
repo.
B
Yeah
we
we
cleared
the
repos
before
this
there's
an
archived
copy.
Actually,
so
we
did
a
whole
bunch
of
test
runs.
We
should
mention
this.
There's
an
archived
repo
called
six
store
root.
Signing
practice
where
we
did
all
of
our
previous
test
runs
with
different
keys,
and
then
we
archived
that
one
we
did
it
renamed
it
over
to
here,
and
then
we
did.
A
couple
test
runs
15
minutes
before
this
started,
because
ci
never
works
the
first
time
in
any
repo.
D
B
J
B
Yeah,
it
probably
would
have
been
enough
if
I
put
it
into
bitcoin
or
something
like
that
to
be
useful
today.
As
long
as
I
got
out
at
the
right
time,.
C
Just
kind
of
shocking
everybody
says
I
wanted
to
brush
my
teeth
or
something
like
that.
B
G
Lemon
all
right,
I
have
another
question:
if
we're
ready
for
one,
maybe
I'll,
give
this
hell
luke.
What
is
the
current
temperature
in
tokyo.
F
So
keep
in
mind
21
centigrade
and
it's
raining.
It's.
I
If
you
want
to
chime
in
ctl
fish,
I
think
how
do
we
publish
that
verify
succeeded,
go
ahead
and
give
a
comment.
Show
you
what
you
did
any
extra
commands.
You
did
yeah.
I
I'm
gonna
go
ahead
and
start
merging
the
ones
with
multiple
approvals
and
then
we'll
move
on
whenever
ready.
B
K
C
A
I
Mike
are
you
set
up
for
for
the
github
repository,
or
you
want
to
pass
that
on
to
someone
else.
G
You
know
I
haven't
pulled.
If
that's
all,
I
need
I've
been
verifying
and
writing
the
verify
scripts.
So
tell
me
what
look
at
here
I
was
in
the
middle
of
verifying.
I
G
Okay
and
after
I
run
it.
G
I
C
I
Yeah
I'll
go
for
it.
I
think
I
should
have
step
zero
in
here
already
done
from
before
yep
all
right
and
let's
go
for
step.
1.5
watch
it
live
happen,
cross
your
fingers.
I
Here
we
go
set
up
the
route;
let's
compare
it
dan,
I
think
either
I'm
sorry
dan.
I
think
you
got
to
do
it.
I
What's
going
on
is
if
I
go
into
scripts
right
here
and
I'll
show
you
step
1.5
that
dan
is
running
in
the
background
over
here,
we're
setting
up
our
git
state
and
then
over
here
we're
running
this
tough
init
repository
with
the
four
targets
that
we're
adding
to
the
metadata.
The
targets
are
right
here.
I
That's
shown
right
here
on
our
full
co
repository.
So
these
are
the
targets
that
we're
verifying.
How
are
you
and
so?
Can
you
show
the
script
source
yeah?
So
let
me
show
you
the
actual,
like
tough
binary
source
and
I'll
just
display
that
until
I
merge
that
pr.
I
Not
very
satisfying
we're
gonna
do
a
little
bit
of
a
source
dive.
This
is
the
actual
command
and
then
the
init
script
right
here
so.
I
It's
a
mess,
but
it's
setting
up
a
bunch
of
json
right
here:
we're
adding
lots
of
expirations.
Let's
go
ahead
and
check
the
source
I'll
keep
that
displayed.
I
Let's
see,
go
back
to
root,
signing
all
right,
setting
up
the
route,
so
let's
go
ahead
and
check.
What's
going
on
here,
verifiers,
please
go
ahead
and
verify
that
we
have
five
placeholder
signatures,
our
expirations
in
about
six
months,
we've
got
our
five
keys
here
with
the
shaw's
matching
up
with
the
public
keys,
and
we've
got
five
root
keys
with
the
threshold
of
three
for
each
top
level
roll
here.
So.
I
Expirations
look
good,
yeah,
good
question.
It
depends
on
the
threshold.
Yep
yep
threshold
is
three
out
of
five
for
safety
reasons.
We're
just
signing
all
five
today,
just
because
we
can
it's
good
always
to
have
all
of
us
here
and
then
these
are
the
targets
that
we're
just
adding,
which
I
just
showed
you
before
so
yeah
verifiers.
If
you
go
ahead
and
verify
a
couple
of
those
things,
that'd
be
great.
B
B
A
B
Yes,
so
we
all
have
backups
and
to
you
know,
rotate
one
of
these
out
to
insert
a
backup.
We
would
have
to
get
the
other
four,
or
at
least
three
out
of
the
other
four
people
to
signify
that
that
is
the
new
correct
one.
So
if
two
of
us
lose
them
at
the
same
time,
we're
still
good.
If
three
do,
then
it's
bad,
so
we've
gotta
meet
pretty
quickly
and
re-refresh
a
backup
if
somebody
does
lose
one.
I
Yeah
thanks
for
running
the
verification
script,
as
you
can
see,
this
combined
all
the
five
public
keys
that
were
previously
verified.
So
I'm
going
to
go
ahead
and
merge
this,
so
we
can
move
on
to
some
more
signing
steps,
sound
good
everyone.
A
I
J
I
Yeah,
let
me
pull
up
some
of
that
draft
metadata
that
now
we
have
committed
so
in
these
three
signing
phases
that
we're
doing
right
now
we're
doing
a
first
to
sign
the
root
and
target.
So
the
root
is
going
to
attest
to
the
five
root
keys
that
we
have
and
the
targets
are
gonna
attest
to
the
f
four
targets
that
we've
added
the
recoil
public
key,
the
ctfe
key,
the
full
co
root
ca
and
our
artifact
signing
key
that
we've
been
signing
our
releases
with.
I
So,
if
you
ever
doubt
us
in
the
future
for
any
of
those
four
things,
you
can
always
come
back
to
this
metadata
and
verify
that
you
indeed
saw
this
ceremony.
So
what
we're
going
to
be
doing
is
signing
these
sequentially,
because
the
later
snapshot
and
timestamps
depend
on
the
previous
results.
So
we're
going
to
be
signing
these.
Let
me
show
you
real
quick,
so
we
have
some
staged
metadata.
Just
added
from
that
previous
step.
I
Here's
the
root.json
and
people
as
they
trickle
in
their
pr's
are
going
to
be
filling
in
the
signature
field
that
corresponds
to
their
key
id.
What
you
can
do
is
you
can
choose
a
person
along
the
way,
choose
your
favorite
key
holder
and
take
a
look
at
the
signature
or
key
id
that
they
have
and
follow
along
theirs.
You
know
and
marinas.
Let's
see
we
got
some
prs
trickling
in.
Oh,
my
god,
you
guys
are
fast
all
right.
So.
A
There's
another
ask
from
jacques
who's
now
my
favorite
in
the
chat
I
saw
source
for
1.5
and
the
tough
cly.
Can
we
show
two
please.
I
Yeah
I'll
go
for
it,
so
let
me
just
show
you
real
quick.
You
know
what
that's
great,
I'm
glad
that
I'll
just
pull
up,
diedraz
verification
here
and
I'll
show
you
the
source,
so
the
source
for
step
two.
I
I
So
this
is
what
we
expect
yeah
and
then
people
can
go
ahead,
keep
verifying
those
I'm
going
to
verify
or
I'll
I'm
going
to
wait
to
merge
all
of
them
until
we
get
like
one
or
two
lgtms,
and
let
me
go
ahead
and
show
you
some
of
the
source
code
here.
So
this
is
in.
I
Amd
tuff
app
and
sign
all
right,
so
this
is
what
it
is.
Actually,
this
one's
really
simple,
so
we're
gonna
get
the
payload
out
that
we're
signing
canonicalize
it
and
then
sign
it.
Then
we're
going
to
add
your
signature
to
your
particular
key
id
and
then
set
the
metadata.
So
this
one's
very
simple:
let's
go
ahead
and
see
if
people
can
verify
so
yeah.
I
just
verified
santiago's
I'll,
give
that
an
lgtm.
A
F
J
G
G
Who's
looking
for
someone
something
to
do
how
about
let's
see,
we
already
did
dan
and
luke
santiago.
G
We're
gonna
look
at
the
current
price
of
corn
on
the
chicago
mercantile
exchange.
So
if
you
can
go
to.
G
And
you're
gonna
there's
gonna
be
a
search.
You
know
magnifying
glass
up
towards
the
upper
right.
C
C
Okay,
I
don't
even
know
what
I'm
looking
at
should
I
go.
G
G
G
I
Yeah
I
I'm
super
thrilled,
I'm
seeing
some
repeated
verifiers
here,
all
righty
someone
needs
to
go
and
verify.
Let
me
check.
Santiago.
Santiago
seems
a
little
dubious
to
me
all
right.
We
got
one
verifier
in
there.
I
call
in
the
chat,
come
and
verify
number
20
number
four
dan
you're,
always
getting
like
10
plus
verifications
like
either
people
really
trust
you
or
they're,
really
skeptical.
C
A
C
F
J
I
Yep
I
just
pulled
up
the
code
preemptively
expecting
that
so
yeah
right
now
we're
gonna
move
on
after
rolls
and
target
we're
moving
on
to
snapshot
right
here.
So
this
is
the
script
that
they're
running
step.
Number
three
signing
the
snapshot
so
same
code
as
before,
just
with
a
different
file,
we're
back
on
round
three.
A
I
And
all
right,
who's
gonna
go
first
wow
already
12
seconds.
I
I
So
now,
with
marina's
pr
number
13
she's
added
a
signature
on
snapshot,
the
really
cool
thing
is,
I
would
love
to
see
a
verifier
in
the
chat
verify
that
this
sha
512
lines
up
with
the
root.json.
That's
in
the
github
repo
props
to
you,
if
you
can
add
a
comment
saying
like
you
know,
showing
the
output
of
what
you
did
to
get
that
matching
sha
like
I
will
like
your.
I
don't
have
authority
to
give
prizes
but
like
if
I
did,
I.
A
Would
I
could
you
take
a
look
at
bob
calloway's,
that's
a
little
suspect
in
terms
of
his
thanks.
B
B
K
Right
last,
one
we
merged
in
was
four
alpha,
frank,
bob,
seven,
two
alpha.
I
Yeah,
like
I
said
when
I
go
back
and
check
for
approvals
and
merges,
would
love
to
see
someone
verify
that
the
shah
for
root.json
in
the
repo
matches,
the
ones
that
are
in
the
pull
requests.
H
C
B
B
A
We
are
at
75.
This
is
actually
a
record
for
the
first
two
weeks
of
the
launch
of
cloud
native
tv.
So
thank
you
all
for
joining
appreciate.
It.
B
C
I
C
A
B
H
B
B
J
Okay,
I
have
a
question
to
to
verify
that
we
are
actually
doing
this
today.
What's
the
what's
the
price
of
bitcoin
right
now,
or
should
we
go
for
dodge
coin,
whatever
you
like
who's.
F
K
According
to
coindesk,
it
is
0.285
892.
F
J
A
There's
a
there's,
a
question
here
is:
where
is
the
root
key
itself
stored.
I
Let
me
show
you
all
right,
so
these
were
the
keys
that
were
just
added
by
the
by
the
first
round
where
they
were
provisioning
keys
and
when
you
go
to
the
staged
repo
and
you
take
a
look
at
root.json.
I
If
you
scroll
down
over
here,
the
root.json
is
the
thing:
that's
actually
signing
off
on
the
root
itself,
so
in
all
of
these
we'll
see
keys
right
here
that
we're
signing.
These
are
the
key
ids,
and
this
is
the
public
key
value
that
corresponds
to
this
public
key
right
here.
So
you
can
go
ahead
and
also
verify
that
the
sha's
line
up
there
but
yeah
these
are
the
actual
keys
involved
and
they
line
up
with
the
keys
that
are
published
in
this
keys
directory.
B
Yeah
and
we're
using
hardware
tokens
here
so
the
private
keys
are
actually
on
the
tokens
they're
generated
there.
They
can't
be
removed
from
the
tokens
the
stuff
we
did
in
step.
One
used
device
attestations
from
the
tokens
to
prove
that,
so
you
can
check
these
keys
against
the
certificates
in
step
one
to
chain
it
all
the
way
back
to
the
manufacturer.
I
Yeah
and
I
started
seeing
some
timestamp
ones,
so
I
just
outputted
the
the
script
that
they
just
ran
step
four
and
that
was
signing
the
timestamp
role
and,
as
you
can
see,
c
panado
left
some
verification
on
marinas.
And
now
we
have
a
signed
route
assigned
snapshot
and
assigned
targets,
and
this
pr
adds
one
valid
signature
to
the
timestamp
and
we
go
ahead
and
check
and
voila
there.
It
is
and
we
have
the
hash
of
the
snapshot
file
which
again
totally
welcome
to
verify.
B
B
I
B
All
done
with
this
is
to
the
final
step
when
we're
all
done
with
this,
and
it's
all
public
is
for
everybody
to
click
fork
and
update
your
forks
so
that
way,
you're
making
independent
copies
that
are
all
verified
with
shaw's
back.
So
if
we
ever
try
to
rewrite
history
or
anything,
we'll
have
all
these
different
records
across.
J
Yeah,
I
just
wanted
to
comment
that
this
is
a
really
cool
thing
that
you
guys
are
doing.
There's
very
few
public
key
ceremonies,
never
mind
private
ones.
No
one
really
talks
about
it.
So
I'm
really
glad
you
guys
are
doing
this
in
the
open
so
that
other
people
can
look
and
learn
from
you
guys
and
even
do
their
own
in
the
public.
I
think
it's
a
great
idea.
J
F
C
A
G
Okay,
have
we
done
like
proof
that
you're
live
here
yet.
G
J
G
I'm
gonna
we're
gonna
figure
out
where
a
particular
flight
is
right.
Now
sounds.
E
G
Okay,
I
looked
up
a
plate
before
this.
It's
a
flight
from
dubai
to
minsk,
so
up
top
there's
a
search
bar
type
in
fdb,
one,
seven,
one
five.
G
G
D
The
most
recent
time
I
see
is
friday
at
2,
47
23
pm
eastern
time,
and
then
the
latitude
is
42.9029
and
the
longitude
is
33.6894
and.
G
C
D
292
degrees
left,
I
don't
know,
I
don't
know
what
that
means,
but
yeah.
B
F
J
B
Was
the
the
flight
from
lost
the
tv
show.
E
I
All
right,
I'm
happy
to
report
the
team
and
I
have
successfully
verified
round
four.
I
Yep,
so
we
we
got
up
to
round
four.
So
after
provisioning,
the
keys
that
you
saw
on
the
keys
directory,
we
created
that
tough
repository
did
three
rounds
of
signing
sequentially
on
the
four
rolls
that
we
have
and
now
we're
on
this
final
final
final
publishing
step.
So
we
need
one
person
from
the
key
holders
to
run
step
five,
which
I
will
show
you
again
what
they
are
going
to
run.
So
let
me
go
over
here.
I
Show
you
step
5,
and
all
that
does
is
publish
the
repository
and
I
will
show
you
again
the
script
so
yeah
who's
gonna.
Do
that.
I
All
righty
so
yeah
this
is
all
it
does.
It
goes
through
the
code
go
tuff,
repo
dot
commit
which
will
verify
all
the
signatures
and
push
it
to
like
a
repository.
So
it's
no
longer
going
to
be
staged,
and
this
is
our
final
step.
If
you
run
verify
on
this
now,
what
we're
going
to
be
doing
is
taking
the
go,
tough,
client
and
seeing
if
you
can
successfully
verify
and
download
the
targets
with
that,
so
you'll
see
some
special
output.
I
I
I
I
So
here
you
see
the
four
targets
successfully
retrieved
and
verified
against
that
metadata
that
we
just
created
together
all
right
yeah.
That
was
the
final
step.
I'm
gonna
get
a
couple
more
verifications
on
this
and
then
yeah
we're
really
good
to
go
fork.
Tweet
publish
give
me
a
shout
out.
A
There's
a
there's,
a
question.
Excuse
me
their
thought
here.
This
video
is
not
legit
until
somebody's
pet
interrupts,
the
livestream
anybody's
pet.
Please
go
ahead
and
interrupt
the
live
stream.
Okay,
I'll
go
get
one.
J
A
B
Yeah,
so
we're
all
done
as
soon
as
this
gets
merged.
We
have
the
route,
everybody
click
fork
copy
it
off
of
github
clone
it
put
it
on
gitlab
put
it
on
your
flash
drives,
put
it
anywhere,
you
can.
We
now
have
the
root
and
everything
we
do
will
be
chained
back
to
this
one.
I
want
to
thank
azra
for
being
the
coordinator
for
all
this.
Thank
dan
and
cloud
native
tv,
of
course
follow
this,
for
other
awesome
shows
how
many
viewers
did
we
hit
80
80.
A
And
everyone
look,
I
mean
this,
I
I
was
not
missing
words
when
I
say,
like
all
jokes
aside,
we
had
a
lot
of
fun
today,
but
this
was
a
monumental
thing.
I
don't
think
this
ever
been
done
elsewhere.
This
has
been
like
in
public.
I
am
so
excited
to
be
part
of
this,
but
this
group
has
been
fantastic.
Also
you
folks
at
home
that
were
that
were
part
of
this.
It's
just
you
know
great,
really
good,
interact
activity
and
all
that.
So
it's
a
really
cool
process.
Everyone.
A
Thank
you
all.
I'm
gonna
have
some
parting
words
here,
real
quick
just
for
for
next
week.
Y'all
just
so,
I
will
thank
you
so
everyone
again,
I'm
closing
with
today.
This
weekend
the
holiday
is
called.
It's
called
juneteenth,
it's
a
day
of
recognition,
education
and
celebration.
A
I
want
us
to
ensure
that,
like
we're
thinking
in
terms
of
you
know
taking
care
of
one
another
and
being
the
community
that
we
are,
we
are
one
large
community,
one
large
community.
I
want
you
to.
I
want
to
thank
everybody
that
was
part
of
the
sig
store
key
ceremony,
and
I
want
you
to
remember
community.
The
spotlight
is
on.