-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TUF: Target naming for usage #134
Comments
tagging @flavio who worked on the TUF patches. |
@asraa sorry for the late reply, this got buried into my notifications and then I forgot about it 🙏 Has this change took place? I've downloaded the TUF repository using tuftool (which is based on the same set of rust libraries we use to interact with TUF) and I didn't find any directory inside of it. I found exactly what is being described here under the To address your questions:
In theory it should handle also the delegated target, however I see only the contents of the README I linked above. Reminder: I'm not a TUF expert, I might be missing something obvious
I think we won't need to do that. |
Closing, as far as I can see the change of Sigstore's TUF repository layout never happened. |
Description
In the next root-signing, we'll be migrating targets for
fulcio
under afulcio
subdirectory, andrekor
under arekor
subdirectory (and keeping old targets for compatibility before we remove them).This change was due to the fact that we had created delegations that were allowed to sign off on any path, but we actually only intend on certain delegations to add/update targets for a certain usage type (e.g. a delegation managing rekor rotations should only sign on the
rekor/**
space).When we do this, fulcio targets will now be found on
fulcio/*
and rekor targets will be found onrekor/*
. This may simplify some of the expressions for target matchingSIGSTORE_FULCIO_CERT_TARGET_REGEX
andSIGSTORE_REKOR_PUB_KEY_TARGET
, since now their regex are simplyfulcio/*
orrekor/*
. Old clients may continue to use this for a few months, given that we will continue supporting the top-level targets at their given paths, but we'd like clients to start moving towards retrieving fulcio certs by retrieving all targets underfulcio/*
.A few questions:
targets()
func retrieve delegated targets? Or just top-level targets? One way to find out is if you find arevocation.list
returned in the current root. That is a delegated target not listed in the top-level targets.rekor.pub
andfulcio*.crt.pem
) in favor of nesting them under subdirectories, will you need to continue to support old clients?The text was updated successfully, but these errors were encountered: