Jussi Kukkonen
Jussi Kukkonen
bugs.python.org is not the easiest to search in but I haven't seen a bug
From client implementation experience: The metadata API should definitely handle: * verify metadata signature with threshold * verify metadata file hash/length * verify target file hash/length The rest is just...
> copy a snapshot of a public production repository, store contents in python-tuf git with the tests I forgot to mention: testing like this would require mocking the current time...
Current state based on manually running python-tuf ngclient against some repositories: * [x] datadog works * [ ] sigstore (go-tuf) * [microseconds in expiry](https://github.com/sigstore/root-signing/issues/103) * [timezone in expiry](https://github.com/sigstore/root-signing/issues/27) (fixed in...
looks like pip has changed how it operates in this strange situation (or we made a mistake when last changing this). Issue is that we first install securesystemslib from requirements-test......
> quick-fix 1: sign in GitHub CD action This is possible with a GPG key of course (where private key is in an environment secret) but Sigstore cosign has _experimental_...
This space seems to move very rapidly at the moment so just documenting a few things for myself if not others: * lukas has a hand crafted in-toto solution linked...
Maybe time to discuss this one again? sigstore-python now does attestations with slsa-github-generator (this is the generic "provenance only" generator): https://github.com/sigstore/sigstore-python/blob/main/.github/workflows/release.yml#L82 I understand that that does not cover all the...
This does not require much, if any, work in current python-tuf: we don't assume anything about keyids currently (most importantly, there's no expectation that keys are unique globally: same name...
I think this may get fixed in #2193