You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The CLI currently has a gen-key method and a revoke-key method, but not an add-key method. This makes it hard for users with external keys, for example KMS or otherwised managed key services, to add their keys to the root.json. Whilst it can be done with json manipulation, it would be much nicer if the tuf cli supported it natively to avoid mistakes or misconfiguration.
I propose the following
tuff add-key <role>
--keytype # eg. "rsa"
--public-value # The value of the public key
--scheme #eg "rsassa-pss-sha256"
# Returns the key-id
This will then add the key to the root,json in both the keys, and the roles fields with the correct hashed key id, and will return a key id which can then be used in subsequent signing requests.
The text was updated successfully, but these errors were encountered:
This was partly in response to #525 (comment) where adding a KMS key required the use of tuftool rather than being able to be done entirely with go-tuf
* 528 Add-Key to a role
Introduces the add-key command
Signed-off-by: Edward Brough <[email protected]>
* Make sure error message ends with a newline
Signed-off-by: Fredrik Skogman <[email protected]>
---------
Signed-off-by: Edward Brough <[email protected]>
Signed-off-by: Fredrik Skogman <[email protected]>
Co-authored-by: Fredrik Skogman <[email protected]>
The CLI currently has a
gen-key
method and arevoke-key
method, but not anadd-key
method. This makes it hard for users with external keys, for example KMS or otherwised managed key services, to add their keys to theroot.json
. Whilst it can be done with json manipulation, it would be much nicer if the tuf cli supported it natively to avoid mistakes or misconfiguration.I propose the following
This will then add the key to the root,json in both the
keys
, and the roles fields with the correct hashed key id, and will return a key id which can then be used in subsequent signing requests.The text was updated successfully, but these errors were encountered: