Open jku opened 1 month ago
Do you know if https://github.com/theupdateframework/rust-tuf would be compatible or is maintained more actively?
IIRC they don't have a CLI so testing would be a bit more work (this specific part of the spec seems to be supported but that doesn't mean much)
This is something that came up during staging testing: sigstore-rs is not compatible with root-signing-staging, and will not be compatible with root-signing if we proceed with #929 without changes.
I'm filing this so we can decide whether this is a blocker for #929 or not. I would suggest it's not a blocker:
That said, tuf-on-ci could start embedding hashes and lengths if that is really needed.
Related sigstore-rs issue https://github.com/sigstore/sigstore-rs/issues/369