Will there be any tlog entries made to the local transparency logs (rekor) to audit and monitor the signing of various role metada (for e.g target.json etc) by the role specific keys?
In the targets.json and the root.json below, we can see that the targets were signed by the key with a) key id - 1c2f6fcbea657294badc41ce77a492f7adb4f6186b75f5a6453adcd05a3fa162 and b) key val for this in the root.json is - "public": "95c39cb7e7ae8af4a60d5e64ed73527169d15cdba9f2973abc048fbfe5c1577a" given the c) signature - b6cd8298ca0b33c87e8a36062f3665d4cf0831e3f413902a9d041273cd207e09af48586933fa48ce39f0b9978da53e2a6eedca8c93c4677ef98fd3c5d61a430a in 'targets.json', how can i verify the metadata for e.g. the targets.json using the key val (b) of the signing key(a) and the the signature (c)? using openssl command?
I am trying to create a local sigstore stack and followed the instruction in the article (https://blog.sigstore.dev/sigstore-bring-your-own-stuf-with-tuf-40febfd2badd/) and while doing so I wanted to calrify the following 2 things.
Will there be any tlog entries made to the local transparency logs (rekor) to audit and monitor the signing of various role metada (for e.g target.json etc) by the role specific keys?
In the
targets.json
and theroot.json
below, we can see that the targets were signed by the key with a) key id -1c2f6fcbea657294badc41ce77a492f7adb4f6186b75f5a6453adcd05a3fa162
and b) key val for this in the root.json is -"public": "95c39cb7e7ae8af4a60d5e64ed73527169d15cdba9f2973abc048fbfe5c1577a"
given the c) signature -b6cd8298ca0b33c87e8a36062f3665d4cf0831e3f413902a9d041273cd207e09af48586933fa48ce39f0b9978da53e2a6eedca8c93c4677ef98fd3c5d61a430a
in 'targets.json', how can i verify the metadata for e.g. the targets.json using the key val (b) of the signing key(a) and the the signature (c)? using openssl command?targets.json
root.json