Jussi Kukkonen
Jussi Kukkonen
I think the expected behaviour sounds reasonable. There is a related question to consider -- in a scenario where you have "distributed workers", maybe what you really want is a...
The legacy signing uses sigstore/sigstore to sign: that just picks the highest version number available: see [code](https://github.com/sigstore/sigstore/blob/0ca1da64d22eebfb7c6dd344db7a6547766244f8/pkg/signature/kms/gcp/client.go#L192-L196) -- this is IMO incorrect for TUF (since a new keyversion is a...
There is a workaround in tuf-on-ci: we will re-try the signing event merge in #1348 This issue should remain open even after that so we can properly fix the KMS...
The workaround seems to have worked -- although next issues is still preventing seeing the results (see #1349)
There's a related issue with IdentityToken: it always uses "email" as the identity of the token -- but some oidc issuers, like GitHub Actions, use "sub" as the identity and...
CC @woodruffw based on #467
> move from Model().from_json to Model.from_dict(...), since the latter invokes the validators correctly. Oh wow, that'll teach me to never trust api docs: I did go through it, there's nothing...
> However, the entire setup there feels brittle, perhaps unacceptably so 🙃 -- an option here would be to revert on #467 and go back to non-Pydantic-based models. maybe yes:...
I'll close this: the issue is real but I `Model.from_dict(...)` seems like a completely valid workaround
Test in staging ongoing in https://github.com/sigstore/root-signing-staging/issues/157