Marina Moore

I started a spreadsheet to map the SSCP to SLSA and other tooling to lay out which pieces of the supply chain are addressed by different pieces of tooling: https://docs.google.com/spreadsheets/d/1CzvnInT7QOmTOz20W5TiX8tJiG9XZvdqYA3TivLx-PI/edit#gid=0...

> @mnm678 anything else we can help with Marina? Shared this in the working session today with group, fyi. Thanks! I opened #984 to extend the scope of this project...

I'm working on a related effort to map the supply chain security white paper to tooling: https://docs.google.com/spreadsheets/d/1LfAgoYesySfg7bkiUgihNWGDpyKsMNt6xTBi303IAcg/edit#gid=0, related to #960

There is a skeleton of this here: https://github.com/theupdateframework/go-tuf/blob/master/cmd/tuf/regenerate.go

> Some comments. WDYT? Thanks for working on this @asraa! > > * I know the spec says the cert should be PEM encoded, but the JSON marshalling in go...

> We could use a tag? like `go build -tags=sigstore ./cmd/tuf` that would only compile and add sigstore keys if the tag is used I like this idea, it should...

I agree, the client shouldn't need to download all of them, just the ones needed for any verification they perform.

cc @asraa This might relate to the [cosign key generation](https://github.com/sigstore/cosign/pull/366)

Hi! There's a description of this feature in the [specification](https://theupdateframework.github.io/specification/latest/#path_hash_prefixes), as well as in the [python version](https://github.com/theupdateframework/tuf/tree/develop/tuf/client).

> > TAP-12 seemingly got implemented in python-tuf v1.0.0 > > Maybe more accurate to say Metadata API does not enforce or test that the id actually is the hex...