Jussi Kukkonen
Jussi Kukkonen
Update: * sigstore/root-signing-staging is working OK with four signers * sigstore-probers has a PR to make it compatible with future changes * root-signing-staging tests are now IMO more comprehensive than...
Update: * there is a test repo https://github.com/jku/root-signing-test that is based on production root-signing (contains same roles, delegations and artifacts) and seems to work: it is compatible with cosign and...
#1320 tracks the actual signing event
:heavy_check_mark: current public repository is published with tuf-on-ci
We have changed just about everything that does logging in the past week-- would be very interested in specific improvement suggestions
In tuf-on-ci: * the signing-event workflow does analysis on individual metadata -- are they valid, correctly signed, etc * online-signing verifies that the online roles are valid * signing tool...
I'm not sure what the description means but if this is about validating changes to artifacts like `trusted_root.json`: * We should add a separate artifact validation workflow that runs on...
Would make sense to make the change in staging first?
Is this still relevant? Can we move to sigstore/sigstore if yes?
this should be decently handled by `tuf-on-ci-delegate` (to create the delegation) and `theupdateframework/tuf-on-ci/actions/online-sign-targets` action for signing in delegated metadata in a workflow