In the root.json part of the spec, it states that it is required to have a role defined for root, targets, snapshot, timestamp, and optionally mirror. However in the section for keyid, it does not explicitly state that each role needs to have at least one keyid. Should it? Presumably we should, otherwise we would allow for unsigned metadata.
Likewise, should we also require that threshold must be greater than or equal to one?
trishankatdatadog
commented
1 year ago
In the root.json part of the spec, it states that it is required to have a role defined for
root,targets,snapshot,timestamp, and optionallymirror. However in the section for keyid, it does not explicitly state that each role needs to have at least one keyid. Should it? Presumably we should, otherwise we would allow for unsigned metadata.Likewise, should we also require that threshold must be greater than or equal to one?