asraa
asraa
> Store the POP signatures outside the staged repository in a designated folder This is probably a good idea! Similar to the way we have `keys` subfolder.
> I wonder if we could use [git notes](https://git-scm.com/docs/git-notes) store these in the git repository for potential long-term reference without storing them in the file tree? +1000!!!!
> It is difficult to see what is currently available in prod and preprod, compared to git content -- and difficult to see if their current state is a result...
Related: https://github.com/sigstore/public-good-instance/issues/714
@priyawadhwa is the sigstore dashboard a thing or an idea? We can probably just start with a root-signing status page too.
This would be in case of rotating the delegation's signing key. I don't see how current tooling can handle modifying properties of the delegation -- `add-delegation` calls this func which...
> Yes, changing the key is something I don't think can be done today, but we have ~1y to figure that out smile Yes exactly! I just wanted to make...
> Should we remove this from this milestone and add it to root signing v8? Yes! Will do - thanks.
Yeah - for context I think we stopped signing over the root at root version 2 with a go-tuf update. Then it remained because TUF requires persisting metadata files in...
> The way to "reset" snapshot contents is to do it while changing snapshot keys (because now the old snapshot is no longer signed by valid keys so clients should...