root-signing
root-signing copied to clipboard
sigstore
Init from config
Description
I was making enhancements to the root and realized it would be really nice to configure a config that could be used to initialize next roots based on params:
- expiration for each target type
- thresholds
- delegations
- targets (with custom meta)
- signers (either locations of HSM key data or GCP KMS signers)
What are some alternatives to dropping a custom YAML?
cc @haydentherapper @bobcallaway @dlorenc @joshuagl do any of you have good ideas?
Would (mustache) templating be a good solution?
https://mustache.github.io/mustache.5.html
Do you have a sketch of what this might look like? I'm not sure I understand the idea enough to comment.
Do you have a sketch of what this might look like? I'm not sure I understand the idea enough to comment.
I'll spec it out!
https://docs.google.com/document/d/1rhJEPs2LiCs7CZvZeNf8BIM2NLBjXAot8v-GnfulyQg/edit?resourcekey=0-PqzLxKb99V2ZM0iljWsWEA#
Here it is! I have started working out the implementation just to make sure it works, but my main goal is not to keep adding flags and commands to the scripts.
@dlorenc @joshuagl @bobcallaway do you have any feedback on this? I'd like to get this done in the next week so I can test run v3
The design is currently a bit different:
- there is no config at all: changes always start with the current signed metadata
tuf-on-ci-delegatehas features to change signers/thresholds/delegations- artifacts are modified by just pushing a new branch with artifact changes: tuf-on-ci then updates the metadata accordingly
Closing as not relevant.
