Jussi Kukkonen
Jussi Kukkonen
documenting current status: * online signing (so snapshot re-generation) is now done by tuf-on-ci * root and several other old roles are still included in snapshot * resetting snapshot requires...
> ... create a reusable GH workflow that files an issue in the client github repo if the embedded root is not up-to-date Thinking this through: We probably don't want...
Thanks for ping :) @mlieberman85 the sigstore approach is generalizable (and I believe this is absolutely the right direction to go), and there are some interesting improvements possible as well...
> I recognize that the API isn't as stable as python-tuf, but similar to how cosign is a CLI frontend that supports the common use cases for Sigstore, I think...
Updating this: * The generic TUF repository implementation for sigstore-like use cases now lives in https://github.com/theupdateframework/tuf-on-ci * I'm currently working on some import functionality so existing repos can be managed...
I think I'm going to close this as "works for me": tuf-on-ci is demonstrably usable by others and this repository has just become a decent example of a reasonably complex...
I forgot to update this issue: * I've proposed **6pm EEST (11am EDT) on Wed Sept 6** as meeting time about this * feel free to suggest another time, especially...
I'll need to find the right place to file an issue for this but: * I'd like to get a new project under the sigstore org: `root-signing-staging` is the best...
for reference: https://github.com/sigstore/root-signing-staging/issues/1 is ongoing but the TUF repository is not functional yet (KMS is not working). Next steps for sigstore/root-signing-staging are: * get online signing working in the new...
sigstore/root-signing-staging is now technically operational (provisional, not published to the official GCS bucket yet). Next steps: * [x] client smoke tests are ongoing * [x] some small improvements to tuf-on-ci...