Closed jku closed 6 days ago
I've been reviewing the code for this: online-sign should just work as there is no checks that online role versions move sequentially. The "blockers" are:
That said, I think we can handle this by just rebasing the signing event PR when the signing event is ready: I think it just works.
I will test this out in a test repo
Wait, I'm actually wrong: We don't need to do anything since the signing-event does not modify online roles* even in the import signing event! So the merge to main should be clean automatically if we don't modify online roles in main... I will still test this but we should be fine
(*) at some point this was not true, and I kept remembering that
So the merge to main should be clean automatically if we don't modify online roles in main
Right, playing the update through "on paper" this requirement means:
repository/repository/
to tuf-on-ci metadata location metadata/
using prep-import.py script contained in sources: these copies are functionally equivalent but just formatted by different toolsrepository/repository/
may be updatedmetadata/
signing-event PR then merges cleanly and repo should be 100% correct even if legacy online signing happened
the process in the last comment worked fine
During a repository import there is a scheduling annoyance where the "legacy" repository may still bump timestamp/snapshot while the initial signing event is being constructed. This seems like it sets a tight limit to the initial signing event...
There is a simple solution to this since timestamp/snapshot versions do not have to be sequential (they only have to be increasing): We can just make a significant bump to snapshot and timestamp versions during the import . This ensures a few "legacy updates" won't make the signing event invalid.