Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add update root.json workflow to Sigstore: Bring-your-own sTUF with TUF blog entry #303

Open
peer-jslater opened this issue Apr 2, 2024 · 0 comments
Open

Add update root.json workflow to Sigstore: Bring-your-own sTUF with TUF blog entry #303

peer-jslater opened this issue Apr 2, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@peer-jslater
Copy link

Description

The following is a comment I tried adding to the Sigstore: Bring-your-own sTUF with TUF blog entry. However, my comment was not posted to the blog and giscus gave me no feedback as to why. So I'm making an issue here on the docs repo.

My comment

I followed this tutorial as it is still referenced in current documentation (example). The problem I ran into is: what to do when the root key expires the next day.

The 1289 issue is now closed so I expected to be able to update the root and have cosign pick up on the new information but this didn't work.

Solutions I came up with:

  1. Optional: --consistent-snapshot=true instead of false. This updates the targets, snapshots, and timestamps versions when updating root.json.
  2. At the end of this tutorial the user should: rm -rf offline-root/staged/*. This is because when you commit from inside tuf-repository the files staged are deleted and effectively represented in the repository files. However, the files in offline-root/staged are left there and therefore root's version is not incremented on the next tuf gen-key root nor tuf sign root.json. (See: root version increment called during genkey logic).
  3. When updating, run the following subset of the script described in this blog. This includes my recommendation in point 2.
cd offline-root
    # This is the most recent root file. This will increment the version when adding the next key for the root role.
    cp ../tuf-repository/repository/root.json repository/

    tuf gen-key root
cd ..

cd tuf-repository
    cp ../offline-root/staged/root.json staged/

    tuf gen-key targets
    tuf gen-key snapshot
    tuf gen-key timestamp

    cp staged/root.json ../offline-root/staged/
cd ..


cd offline-root
    tuf sign root.json
    cp staged/root.json ../tuf-repository/staged
cd ..

cd tuf-repository
    cp ../targets/* staged/targets

    tuf add
    tuf snapshot
    tuf timestamp
    tuf commit
cd ..

cd offline-root
    # offline-root is generally dirty. And it could not be committed as the other files (like snapshot and timestamp) are required.
    # upon next usage treat the tuf-repo's root as the correct root.
    rm -rf staged/*
cd ..
@peer-jslater peer-jslater added the enhancement New feature or request label Apr 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@peer-jslater