jku
commented
2 weeks ago I don't have the GCP permissions to test this but Bob confirmed the current version is 1.
Closed jku closed 2 weeks ago
jku
commented
2 weeks ago I don't have the GCP permissions to test this but Bob confirmed the current version is 1.
jku
commented
2 weeks ago There were actually two issues with the key, both appeared because I just copied the similar looking but not same format from legacy root-signing:
This is the incorrect legacy format:
gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp
this is the fixed format:
gcpkms:projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp/cryptoKeyVersions/1
here is another key that works on tuf-on-ci for comparison:
gcpkms:projects/python-tuf-kms/locations/global/keyRings/tuf-demo/cryptoKeys/snapshot/cryptoKeyVersions/1
The sigstore root-signing online key keyid was entered incorrectly: Add a workaround here so there is more time to fix the actual keyid.
Fixes #422
DRAFT while I am not sure of the actual key version