patflynn
commented
2 years ago Here is a list of follow on items that I need to do:
- [x] Handle upcoming addition of PEM headers to role public keys. (ex)[https://github.com/sigstore/sigstore/compare/main...asraa:sigstore:test-migrate-root?expand=1]
- [x] Implement local store interface to replace direct filesystem read/write
- [x] Implement snapshot update
- [x] Implement timestamp update
- [x] Implement target updates
- [x] move to consistent snapshots
- [ ] add support for creating/managing map.json. I suspect we want to isolate our map.json repos from other clients.
- [ ] API for fetching TUF targets (rekor and fulcio public keys) with meta support for service url -> root mapping. See client design (here)[https://docs.google.com/document/d/1QWBvpwYxOy9njAmd8vpizNQpPti9rd5ugVhji0r3T4c/edit]
- [ ] client should have configurable timeouts
Obviously as we add more resource types we need to refactor. The good news is most of the weirdness in the parsing and verification has been tackled so the rest of the resources should be pretty quick. (famous last words).
vlsi
loosebazooka
Currently we have statically included the Rekor and Fulcio public keys into the library. These keys should be updatable via TUF.