The following is a comment I tried adding to the Sigstore: Bring-your-own sTUF with TUF blog entry. However, my comment was not posted to the blog and giscus gave me no feedback as to why. So I'm making an issue here on the docs repo.
My comment
I followed this tutorial as it is still referenced in current documentation (example). The problem I ran into is: what to do when the root key expires the next day.
The 1289 issue is now closed so I expected to be able to update the root and have cosign pick up on the new information but this didn't work.
Solutions I came up with:
Optional: --consistent-snapshot=true instead of false. This updates the targets, snapshots, and timestamps versions when updating root.json.
At the end of this tutorial the user should: rm -rf offline-root/staged/*. This is because when you commit from inside tuf-repository the files staged are deleted and effectively represented in the repository files. However, the files in offline-root/staged are left there and therefore root's version is not incremented on the next tuf gen-key root nor tuf sign root.json. (See: root version increment called during genkey logic).
When updating, run the following subset of the script described in this blog. This includes my recommendation in point 2.
cd offline-root
# This is the most recent root file. This will increment the version when adding the next key for the root role.
cp ../tuf-repository/repository/root.json repository/
tuf gen-key root
cd ..
cd tuf-repository
cp ../offline-root/staged/root.json staged/
Description
The following is a comment I tried adding to the Sigstore: Bring-your-own sTUF with TUF blog entry. However, my comment was not posted to the blog and giscus gave me no feedback as to why. So I'm making an issue here on the docs repo.
My comment
I followed this tutorial as it is still referenced in current documentation (example). The problem I ran into is: what to do when the root key expires the next day.
The 1289 issue is now closed so I expected to be able to update the root and have cosign pick up on the new information but this didn't work.
Solutions I came up with:
--consistent-snapshot=trueinstead of false. This updates the targets, snapshots, and timestamps versions when updating root.json.rm -rf offline-root/staged/*. This is because when you commit from inside tuf-repository the files staged are deleted and effectively represented in the repository files. However, the files in offline-root/staged are left there and therefore root's version is not incremented on the nexttuf gen-key rootnortuf sign root.json. (See: root version increment called during genkey logic).When updating, run the following subset of the script described in this blog. This includes my recommendation in point 2.
cd tuf-repository cp ../offline-root/staged/root.json staged/
cd ..
cd offline-root tuf sign root.json cp staged/root.json ../tuf-repository/staged cd ..
cd tuf-repository cp ../targets/* staged/targets
cd ..
cd offline-root
offline-root is generally dirty. And it could not be committed as the other files (like snapshot and timestamp) are required.
cd ..