root-signing icon indicating copy to clipboard operation
root-signing copied to clipboard
verified publisher icon sigstore

feat: Add configuration verification for targets config

Open asraa opened this issue 3 years ago • 3 comments

Description

Not for docs: Another thing that might be useful to verify with a verification script, that usage and status are set for all targets

asraa avatar Jun 28 '22 21:06 asraa

@kommendorkapten I think this is still relevant, could we use trtool to verify the trusted root file?

haydentherapper avatar Sep 04 '24 15:09 haydentherapper

Yes, that is correct @haydentherapper

kommendorkapten avatar Sep 05 '24 05:09 kommendorkapten

I'm not sure what the description means but if this is about validating changes to artifacts like trusted_root.json:

  • We should add a separate artifact validation workflow that runs on artifact changes to sign/* branches -- this would not be part of tuf-on-ci but a root-signing workflow that runs in every signing event
  • the workflow should run at least one sigstore client with the trusted_root.json (without using TUF)
  • the workflow could also run some external validation tooling like trtool

jku avatar Sep 05 '24 06:09 jku