Jussi Kukkonen
Jussi Kukkonen
Instead of the variables, we could just embed them directly in online-sign workflow if that's preferred (when I built this variable design I assumed they would be set by configuration-as-code...)...
for reference there is also an issue for using a GitHub App instead of a plain token https://github.com/sigstore/root-signing-staging/issues/98 -- I plan to test that in staging but that's not done...
Thanks, this should now be sorted. We will see when the smoke clears after #1323
this should obviously be done in staging first, maybe with https://github.com/sigstore/root-signing-staging/issues/155
related: #1347 -- we should change the incorrect KMS key id
> it would increase the frequency of online queries during verification That's the thing: * if the clients operate as tuf spec requires, it's the same number of requests: once...
> decreasing the timestamp validity as well I'm not sure about this, the main reason I suggest this change (signing more often) is to increase the time we would have...
This change is now live in root-signing-staging https://github.com/sigstore/root-signing-staging/pull/171
I don't see anything unreasonable here. I will note that this sentence: > Have a way for the user to grab the generated TUF repository and continue operating it (add...
the root.json symlink is not the only potential conflict. My initial thought was that it would make sense to have a high level lock in the public methods: > locking...