-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Root and Targets #407
Conversation
Signed-off-by: GitHub <noreply@github.com>
Note: Requires #408 TO VERIFY See https://github.com/sigstore/root-signing/blob/main/VERIFIER.md
Please check any of the following that you can:
|
One concern about the expiration, otherwise lgtm
yes!
yes!
yes!
yes!
yes!
yes!
yes!
I actually see December 27 in targets (3 months)
yes!
yes! |
Same, all verified but I see that targets set to expire in Dec 27 (3 months) |
same |
"targets": {} | ||
}, | ||
"signatures": null | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this correct, to have no signatures to mark a delegation as no longer used? Or should we just not include the delegated metadata?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given this isn't referenced in the metadata, i assume deleted?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is deleted! i think go-tuf never gets rid of the file in the store: you still are required to forever persist delegation versions (to prevent rollbacks), and I think that's the reasoning @mnm678 @trishankatdatadog
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not necessarily. You can use the root to rotate the timestamp and/or snapshot keys, which will require clients to reset any previous snapshot metadata (see 5.3.11), and so you can use this opportunity to completely delete this delegation.
} | ||
} | ||
}, | ||
"fulcio.crt.pem": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To confirm, this is correct, that we want the targets duplicated under top level and nested under a folder?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't want to immediately break sigstore-rs: sigstore/sigstore-rs#134
but with the updated paths we can allow them to migrate and deprecate the old regexes
I have a feeling I know why the expiration changed: likely due to the reset delegations not passing our custom expiration |
Initializes a new root and targets