Jussi Kukkonen
Jussi Kukkonen
Test in staging ongoing in https://github.com/sigstore/root-signing-staging/issues/157
Just so we're making an informed decision: Has any client implemented SigningConfig support? Or in other words are we sure that the SigningConfig design is good? I notice it does...
> as any client implemented SigningConfig support? ah yes I forgot sigstore-python has that (via supporting ClientTrustConfig that combines SigningConfig and TrustedRoot). > If this is still up for debate...
> Figure out another method to represent the POP signature. The repository can effectively require POP by requiring that a signing event that adds new keys always has to have...
I believe the process described in previous comment is how this works now, after tuf-on-ci migration
Option 1 is similar to tuf_client_tests.yml, except * depends on prod and preprod to be reachable * publishes metadata versions somewhere * optional sanity checks on expected metadata versions
The implementation if tuf-on-ci is not perfect but it's an improvement IMO: * it moves publish branch when main is in a state ready for publish -- so a commit...
This should no longer be relevant with current tools
The way to "reset" snapshot contents is to do it while changing snapshot keys (because now the old snapshot is no longer signed by valid keys so clients should not...
I think staging does not prove anything (it never had root listed in snapshot as far as I know). * I think this (removal of old items from snapshot) likely...