-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failure in TUF-on-CI publish #161
Comments
AnalysisThe signing event #156 failed to publish because sigstore-java does not like the metadata.
Next stepsthe current published timestamp expires 2024-08-28, usual signing schedule would be imply signing on 2024-08-24. These are the options for solving the root-signing-staging failure that I can see at the moment:
Options for the ongoing root-signing signing event:
|
Great analysis. I would like to know more about a timeline for fixing the Javaclient. It seems the fix would be small, but would we be able to distribute it in time? For prod TUF root, we have at least a week. If we don't think the time is enough, my vote is to not updated the targets (i.e omit sigstore/root-signing#1268). One question though, we do need to update |
Without breaking users, I don't think so. sigstore-java would have to release a new version and all users would have to upgrade to it before the repository change happens. |
No, only actual changes in the artifacts will trigger rebuilding the hashes |
Perfect, then I think we should wait for next signing to modify targets to avoid breaking Java, and make sure the Java client is updated ASAP so we can perform any changes next time. |
For staging, I'm tempted to keep as is? Assuming we can get a fix for the Java client pretty soon so at least the tip is working. |
Yeah that does seem reasonable. Summing up:
This means
|
Workflow run succeeded for TUF-on-CI publish.Successful run: https://github.com/sigstore/root-signing-staging/actions/runs/10508655581 Closing issue based on this success. |
sigstore-java test was disabled temporarily:
Avoiding artifact changes in production root-signing still seems like a good call for the migration signing event that's going on |
Workflow run failed for TUF-on-CI publish.
Failed run: https://github.com/sigstore/root-signing-staging/actions/runs/10503325582
CC @sigstore/tuf-root-signing-staging-codeowners, please have a look.
The text was updated successfully, but these errors were encountered: