Skip to content

Add update root.json workflow to Sigstore: Bring-your-own sTUF with TUF blog entry #303

New issue
New issue
Open
Open
Add update root.json workflow to Sigstore: Bring-your-own sTUF with TUF blog entry#303
Labels
enhancementNew feature or request
@peer-jslater

Description

@peer-jslater
peer-jslater
opened on Apr 2, 2024

Description

The following is a comment I tried adding to the Sigstore: Bring-your-own sTUF with TUF blog entry. However, my comment was not posted to the blog and giscus gave me no feedback as to why. So I'm making an issue here on the docs repo.

My comment

I followed this tutorial as it is still referenced in current documentation (example). The problem I ran into is: what to do when the root key expires the next day.

The 1289 issue is now closed so I expected to be able to update the root and have cosign pick up on the new information but this didn't work.

Solutions I came up with:

  1. Optional: --consistent-snapshot=true instead of false. This updates the targets, snapshots, and timestamps versions when updating root.json.
  2. At the end of this tutorial the user should: rm -rf offline-root/staged/*. This is because when you commit from inside tuf-repository the files staged are deleted and effectively represented in the repository files. However, the files in offline-root/staged are left there and therefore root's version is not incremented on the next tuf gen-key root nor tuf sign root.json. (See: root version increment called during genkey logic).
  3. When updating, run the following subset of the script described in this blog. This includes my recommendation in point 2.
cd offline-root
    # This is the most recent root file. This will increment the version when adding the next key for the root role.
    cp ../tuf-repository/repository/root.json repository/

    tuf gen-key root
cd ..

cd tuf-repository
    cp ../offline-root/staged/root.json staged/

    tuf gen-key targets
    tuf gen-key snapshot
    tuf gen-key timestamp

    cp staged/root.json ../offline-root/staged/
cd ..


cd offline-root
    tuf sign root.json
    cp staged/root.json ../tuf-repository/staged
cd ..

cd tuf-repository
    cp ../targets/* staged/targets

    tuf add
    tuf snapshot
    tuf timestamp
    tuf commit
cd ..

cd offline-root
    # offline-root is generally dirty. And it could not be committed as the other files (like snapshot and timestamp) are required.
    # upon next usage treat the tuf-repo's root as the correct root.
    rm -rf staged/*
cd ..

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions