You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The keyids used by tuf-on-ci work with currently tested clients but
the keyids are not actually compliant (spec currently requires the keyid to be computed from the key contents)
as a result sigstore-rs (through awslabs/tough) does not work with root v8
This was fixed a while ago already in tuf-on-ci (theupdateframework/tuf-on-ci#292) so any new keys will be ok out-of-the-box but I dropped the ball on getting the fixes into this repository. Let's fix that.
The goal is:
Create new versions of all metadata, change the keyids to compliant ones
make sure we end up with signatures from both keyids in root case: root threshold has to be reached by both old keys and new keys (even if they happen to be the same actual key, just with different keyid)
signers sign these changes
root version v8 will remain non-compliant: sigstore-rs needs to bootstrap from v9
I will do a PR
The text was updated successfully, but these errors were encountered:
as mentioned, the only complication is that the new root needs to be signed by "old" and "new" keyids -- even though they are the same key. This should just happen without any special action from the signers
the diff looks more complicated than it is because the keys get reordered in json: in reality only the keyids change
Description
The keyids used by tuf-on-ci work with currently tested clients but
This was fixed a while ago already in tuf-on-ci (theupdateframework/tuf-on-ci#292) so any new keys will be ok out-of-the-box but I dropped the ball on getting the fixes into this repository. Let's fix that.
The goal is:
I will do a PR
The text was updated successfully, but these errors were encountered: