asraa
asraa
Would be happy to do this! I had a bad impl in my cosign demo https://github.com/sigstore/cosign/pull/366 but would love to clean it up (it flattened all the meta into a...
I think the big problem was that newlines inside JSON couldn't be handled well with go. I pulled a PEM encoded public key string from python repository testadata and you'll...
So far I think the max request size set by the proxy (120mb) is probably way too large for most types. Whether rekor should have a smaller artifact size seems...
> As far as I know, Option 1 is the plan! (each shard uses the same signer). Ah, interesting! So currently the scope is that sharding is helping log size/resource,...
We currently don't really have an API for this, my proposal is adding something like `SignWithIncrement`.
Related: https://github.com/theupdateframework/python-tuf/issues/1727 `bump_expiry` was removed, and expiration is manually bumped.
FWIW for delegations and targets adding an existing target will do a version bump with a no-op
> What's the relationship between this issue and https://github.com/theupdateframework/go-tuf/issues/329 ? This is to re-sign any metadata, like targets, root, delegations: we want to re-fresh the signature and bump the version....
e.g. targets.json is expiring, but we aren't removing or adding targets, no change: so we need to bump the version and expiration
cc @kommendorkapten @joshuagl still working on this, expect some testing to be done by tomorrow for some initial client code. there's a running list of TODOs in the client code...