Should trusting/distrusting a key with repo.py bump the version number? #847
Comments
|
Changing keys listed for roles changes the metadata, and therefore must change the version number, yes. The CLI (client.py and repo.py) is pretty simplistic.... repository_tool.py and updater.py have full interfaces that should behave correctly in this regard. |
|
@erickt I will probably need go-tuf myself soon, so happy to help out however I can there... |
|
@trishankatdatadog Great! You can find our fork of go-tuf here, with reviews here. I think I have a working version of go-tuf that is mostly cross compatible with 0.9 and 1.0, but I haven't finished pushing up all my patches yet. I'd love any help with reviews as I land them. Since this is orthogonal to python-tuf, would you want like to switch over to email? You can reach me at [email protected]. |
|
Closing due to uncertain future of TUF cli. Re-visit with #811. |
I noticed that the example "An example of replacing a top-level key" results in a new root.json that is signed with the new key, but the version number is unchanged. Furthermore, the example as described does not appear to conform to the root metadata upgrade process, where the new root metadata is signed by both the old and new root keys:
If this example is not correct, how can repo.py be used to sign with the N and N+1 keys and bump the root version number? At the moment, it appears root.py explicitly disables incrementing the root version number when adding and removing) keys, and signing metadata.
Thanks for any help! I'm getting pretty close to getting go-tuf compatible with TUF 1.0, so I'd love any help understanding the semantics I need to implement to get it compatible with python-tuf.
The text was updated successfully, but these errors were encountered: