theupdateframework / tuf-on-ci

A TUF repository and signing tool
Other
21 stars 11 forks source link

Bump version and resign delegation on signer change #411

Closed kommendorkapten closed 1 month ago

kommendorkapten commented 2 months ago

Observed behaviour:

When a delegation's key is changed, but not the delegated target, the delegation's role metadata file is is not resigned. (Only the delegator requires resigning).

Expected behaviour:

Both the delegator and the delegation's metadata is resigned. As the delegation's role metadata is signed with the previous key, it won't be verified properly as that key is not a valid signer in the updated delegator's version.

jku commented 2 months ago

let's see what happens in the actual signing events -- I think this might actually mostly work in the actual signing-event pr.

kommendorkapten commented 1 month ago

Duplicate of #95