go-tuf Resign TUF metadata without changes (e.g. close to expiry)

@ethan-lowman-dd @mnm678 this came up when using delegations from https://github.com/theupdateframework/go-tuf/pull/175, but also applies to root and targets: how do you deal with re-signing delegations? let's suppose no change is made to a delegation, but expiraiton is coming up and we need to resign and increment the expiration/version. Right now adding the delegation again will return an error that it already exists, and re-signing with Sign does not increment a version, it just updates the signatures.

We basically need a "snapshot/timestamp" but for other meta.

Mar 21 '22 17:03 asraa

We currently don't really have an API for this, my proposal is adding something like SignWithIncrement.

Mar 21 '22 17:03 asraa

Related: https://github.com/theupdateframework/python-tuf/issues/1727

bump_expiry was removed, and expiration is manually bumped.

Mar 23 '22 16:03 asraa

FWIW for delegations and targets adding an existing target will do a version bump with a no-op

Mar 24 '22 20:03 asraa

What's the relationship between this issue and https://github.com/theupdateframework/go-tuf/issues/329 ?

Aug 03 '22 22:08 znewman01

What's the relationship between this issue and https://github.com/theupdateframework/go-tuf/issues/329 ?

This is to re-sign any metadata, like targets, root, delegations: we want to re-fresh the signature and bump the version.

SImply using the repo.Sign won't increment version. https://github.com/theupdateframework/go-tuf/blob/f75cbcc8550dfb9311c6723999fe7b1d3d2bc116/repo.go#L806

Sep 28 '22 14:09 asraa

e.g. targets.json is expiring, but we aren't removing or adding targets, no change: so we need to bump the version and expiration

Sep 28 '22 23:09 asraa

Closing since the code base changed and is no longer relevant

Thanks for raising this 👍

Jan 31 '24 21:01 rdimitrov