Closed kommendorkapten closed 7 months ago
$ ./verify repository --repository ./repository --staged
STAGED METADATA
Outputting metadata verification at ./repository...
Verifying root.json...
Contains 0/3 valid signatures from the current staged metadata
Contains 0/3 valid signatures from the previous root
root version 9, expires 2024/09/06
Verifying registry.npmjs.org.json...
Success! Signatures valid and threshold achieved
registry.npmjs.org version 3, expires 2024/09/06
Verifying targets.json...
Contains 0/3 valid signatures from the current staged metadata
targets version 9, expires 2024/09/06
$ git status
On branch test-2024-03-06-add-npm-delegation
It's documented in the orchestration doc https://github.com/sigstore/root-signing/blob/main/playbooks/ORCHESTRATION.md#step-4-update-delegations-optional
So in short, it's tud add-delegation ...
and tuf sign -role registry.npmjs.org...
Summary
Updated the npm delegation with new signed metadata. Reviewers: look for
ecdsa
, and this causes a new key id to be computedkeys.json
) should match previous versions (look at the delegation metadata and see that the message digest is the same as before.Release Note
N/A
Documentation
N/A