Closed lukpueh closed 5 months ago
All modified and coverable lines are covered by tests :white_check_mark:
Comparison is base (
331e7e7
) 100.00% compared to head (d5d915c
) 100.00%.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
implements option 2 from repository-service-tuf/repository-service-tuf#580 supersedes #427 (does not include a custom "relative file path signer", can be added in a follow-up PR)
--
Change
SignerStore.get
to load non-cached signers from private key uri configured on the passed public key in a "x-rstuf-online-key-uri" field.If the public key does not include a uri, RSTUF_KEYVAULT_BACKEND is used as fallback.
securesystemslib.signer.CryptoSigner is "registered" to load signers from private key files. No key specific secrets handling is added. This means the keys must be stored unencryped, preferrably using the secrets handling of the deployment platform (e.g. docker secrets).
Default schemes in
securesystemslib.signer.SIGNER_FOR_URI_SCHEME
can be used but are untested.Tests Add test to load actual signer from private key file.
Uses new unencrypted ed25519 private key copied from: secure-systems-lab/securesystemslib@7952c3f
Public key stubs in other tests are updated, because signer store now reads the
unrecognized_fields
attribute, which is mandatory in Key objects.