Delegation POP signatures are moved into repository during publish.

[kommendorkapten]

trafficstars

Description See this PR: https://github.com/sigstore/root-signing/pull/773/files#diff-411f5cc22c155801c5fd2fe49b6e5152a541cce0f8ae8b1b8b0ddc83c0d50314R1

Some ideas from the top of my head:

1. Figure out another method to represent the POP signature.
2. Store the POP signatures outside the staged repository in a designated folder
3. Store the POP signatures in a designated folder in the staged root that is removed as part of the publish step
4. Make sure that the pop files are ignored during publish

cc: @asraa @haydentherapper

Version Latest main as of signing ceremony that started at 2023-04-04

[asraa]

Store the POP signatures outside the staged repository in a designated folder

This is probably a good idea! Similar to the way we have keys subfolder.

[joshuagl]

I wonder if we could use git notes store these in the git repository for potential long-term reference without storing them in the file tree?

[asraa]

I wonder if we could use git notes store these in the git repository for potential long-term reference without storing them in the file tree?

+1000!!!!

[jku]

Figure out another method to represent the POP signature.

The repository can effectively require POP by requiring that a signing event that adds new keys always has to have metadata signed by those keys.

• For new delegations this is simple: require v1 metadata to be included in the signing event, and signed by new keys
• for existing delegations this might still work: just require that the signing event either
  • include a new version of the metadata signed by the new keys
  • include the current version signed by the new keys

[jku]

I believe the process described in previous comment is how this works now, after tuf-on-ci migration