[delegations] Add delegation script to append a new delegation to a staged target file

[asraa]

Description

Add a script to initialize a new delegation to a staged target file on a branch. This will add a stub:

 "delegations": {
   "keys": {
    "c8022fa1e9b9cb239a6b362bbdffa9649e61ad2cb699d2e4bc4fdf7930a0e64a": {
     "keyid_hash_algorithms": [
      "sha256",
      "sha512"
     ],
     "keytype": "ed25519",
     "keyval": {
      "public": "fcf224e55fa226056adf113ef1eb3d55e308b75b321c8c8316999d8c4fd9e0d9"
     },
     "scheme": "ed25519"
    }
   },
   "roles": [
    {
     "keyids": [
      "c8022fa1e9b9cb239a6b362bbdffa9649e61ad2cb699d2e4bc4fdf7930a0e64a"
     ],
     "name": "registry.npmjs.org",
     "paths": [
      "registry.npmjs.org/*"
     ],
     "terminating": true,
     "threshold": 1
    }
   ]
  },

like the following, ensure terminating: true and programattically creating the paths based on the name.

The script will also require access to the signing key in order to create a proof of posession.

Tool inputs/args:

• Key(s) (either ref, online or on disk for testing) or SK (SK only supports threshold 1 for now)
• Name of role
• Threshold
• Path to the staged TUF repo
• Nonce

Tool performs:

• Update to the targets (top level) of the staged TUF repo with the added delegation stub
• Creates a proof of possession of the key ID: Sig(key_id + nonce)

Tool outputs:

• Proof of possession of the key ID: a signature over key_id + PR (for uniqueness)

This tool is wrapped in a script OR reusable workflow that:

1. Checks out the GitHub branch where the staged TUF repo is
2. [optional] Create a draft PR
3. Generates a nonce (we can use the draft PR number)
4. Runs the tool with the inputs
5. Creates a pull request with body containing the proof of possession and the changed files of the updated targets file.

cc @kommendorkapten

[kommendorkapten]

Do you want take on this work or should I?

[asraa]

If you can, that would be great!

The only minor nit here is that later this week I will work on changing the flow of our ceremonies to work against a staged repo from a branch. This shouldn't impact the tool, since the tool inputs should be the location of a TUF repository (and shouldn't be doing any git checking out / branch switching). The script, however, will be checking out a branch first.

So maybe starting with the tool creation, and adding e2e tests that we can add the delegation and sign over it?

Also something maybe on after committing the repo w the new delegation, can we update the signing key using the same invocation? But feel free to file that as a follow-up issue.