tuf demo code

[asraa]

This is some WIP TUF code.

The major thing I want to do is to not rely on my hand-grown store. I'd like to remove a lot of it in favor of actually using methods exposed by Repo , which I think is possible. Here were some fixes to undraftify it:

• Get go-tuf implementation to be OK with adding public keys (like python impls' "add_verification_key")
• Generalize adding targets in go-tuf where we can add non-file-based targets
• Remove my hand-grown signing. cosign keys. Dependent on https://github.com/sigstore/sigstore/pull/69#issuecomment-854693360
• But mostly add tests, and ensure that updates actually work

https://github.com/sigstore/cosign/issues/86

[lukehinds]

How do you see this working with https://docs.google.com/document/d/12BBOXMhA99J3KzNaotT1J4OTSDlNnK110_9FZkPv-A0/

I have started to put a WIP here: https://github.com/sigstore/cosign/pull/407

I am wondering if I should wait for this work to complete first in case one is going to invalidate the other.

[dlorenc]

This one came from this discussion and doc: https://github.com/sigstore/cosign/issues/86 https://docs.google.com/document/d/1oyMQ-a0Uwyl9Pew7ISYUdKFfnqEp-qfk1psVFdd-o8Y/edit

[lukehinds]

This one came from this discussion and doc: #86 https://docs.google.com/document/d/1oyMQ-a0Uwyl9Pew7ISYUdKFfnqEp-qfk1psVFdd-o8Y/edit

Gotcha, it makes sense we work together on this then.

From the doc:

cosign tuf init-repo gcr.io/dlorenc-vmtest2 --threshold 2 --roots [email protected], [email protected], [email protected] --signer [email protected] --timestamper serviceaccount

The above is what the other PR does (minus the timestamper), although it also fixes it to a registry

[priyawadhwa]

Hey @asraa , is this still a WIP or was it moved to the sigstore-root repo??

[github-actions[bot]]

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days.

[github-actions[bot]]

This PR was closed because it has been stalled for 10 days with no activity.