I would like online sign and build-repository to do more data validation:
online-sign should check that targets metadata is valid and artifacts are found
(note that delegated targets may be allowed to be expired)
build-repository should check that all metadata and artifacts are valid
this should include checking that root versions in root_history/ are valid -- although care needs to be taken since potentially some imported root metadata is not valid according to tuf-on-ci (see e.g. sigstore root-signing)
as an additional check could test that the keyids are compliant (since python-tuf does not do that, see #338)
There is a CIRepository._validate_role() but that is very focused on the signing event use case: in particular it expects there to be a "previous repository version" (self.open_prev() opens that version of a specific metadata) which only makes sense in a signing event.
Possibly we can make a more generic validate_role() and a more specific validate_signing_event_role() that uses the generic method but does the comparison to previous version as well.
I would like online sign and build-repository to do more data validation:
root_history/
are valid -- although care needs to be taken since potentially some imported root metadata is not valid according to tuf-on-ci (see e.g. sigstore root-signing)There is a
CIRepository._validate_role()
but that is very focused on the signing event use case: in particular it expects there to be a "previous repository version" (self.open_prev()
opens that version of a specific metadata) which only makes sense in a signing event.Possibly we can make a more generic
validate_role()
and a more specificvalidate_signing_event_role()
that uses the generic method but does the comparison to previous version as well.