Closed sigstore-bot closed 3 months ago
I cross referenced all keys in root.json, by comparing looking at the new key id, which PEM encoded key it referred to, then looked at the previous key id for that and made sure it was correct, see README for the details.
./verify repository \
--repository `pwd`/repository \
--root `pwd`/repository/repository/root.json \
--targets registry.npmjs.org/keys.json,trusted_root.json
VERIFYING TUF CLIENT UPDATE
Client successfully initialized, updating and downloading targets...
Client updated to...
root.json version 9, expires 2024/09/12
timestamp.json version 166, expires 2024/03/20
snapshot.json version 130, expires 2024/04/03
targets.json version 9, expires 2024/09/12
Retrieved target registry.npmjs.org/keys.json...
{
"keys": [
...
Verify cosign initialization:
$ ./cosign initialize --mirror http://localhost:8081 --root /Users/kommendorkapten/git/root-signing/repository/repository/5.r
oot.json
Root status:
{
"local": "/Users/kommendorkapten/.sigstore/root",
"remote": "http://localhost:8081",
"metadata": {
"root.json": {
"version": 9,
"len": 6766,
"expiration": "12 Sep 24 06:53 UTC",
"error": ""
},
"snapshot.json": {
"version": 130,
"len": 2304,
"expiration": "03 Apr 24 06:41 UTC",
"error": ""
},
"targets.json": {
"version": 9,
"len": 5478,
"expiration": "12 Sep 24 06:13 UTC",
"error": ""
},
"timestamp.json": {
"version": 166,
"len": 721,
"expiration": "20 Mar 24 06:41 UTC",
"error": ""
}
},
...
And the repository side:
kommendorkapten@m1m14:~/git/root-signing/repository/repository % python3 -m http.server 8081
Serving HTTP on :: port 8081 (http://[::]:8081/) ...
::1 - - [13/Mar/2024 08:05:11] "GET /6.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 08:05:11] "GET /7.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 08:05:11] "GET /8.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 08:05:11] "GET /9.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 08:05:11] code 404, message File not found
::1 - - [13/Mar/2024 08:05:11] "GET /10.root.json HTTP/1.1" 404 -
::1 - - [13/Mar/2024 08:05:11] "GET /timestamp.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 08:05:11] "GET /130.snapshot.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 08:05:11] "GET /9.targets.json HTTP/1.1" 200 -
I will look into the failing client tests now.
Sign snapshot and timestamp files