-
Notifications
You must be signed in to change notification settings - Fork 110
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Implement TAP-12 support #310
Conversation
quick comment: could you remove the contributing.md commit? |
D'oh, thought I rebased. Thanks, done! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Signed-off-by: Zachary Newman <[email protected]>
@mnm678 ping |
Main changes: - allow IDs that aren't the SHA2 of the public key - but disallow multiple distinct keys with the same ID - test for TAP-12 compliance - Adding keys should disallow different keys with the same ID, but allow everything else - Verification should ensure that we have unique keys for each signature Fixes theupdateframework#232. Signed-off-by: Zachary Newman <[email protected]>
Signed-off-by: Zachary Newman <[email protected]>
Signed-off-by: Zachary Newman <[email protected]>
Signed-off-by: Zachary Newman <[email protected]>
Hoist by my own petard (#308)! No changes other than DCO and rebasing, but I need fresh approvals. |
@znewman01 @rdimitrov I'm having trouble updating go-tuf in my library, because of a transitive dependency from rekor to v0.3.0 here. This removed |
Please fill in the fields below to submit a pull request. The more information that is provided, the better.
Fixes #232
Release Notes: Add support for repositories that implement TAP-12 (allowing arbitrary key IDs). go-tuf itself will continue to emit pre-TAP-12-compliant key IDs.
Types of changes:
Description of the changes being introduced by the pull request:
Allows arbitrary key IDs in repos that we read, per TAP-12. (We will still only produce key IDs that are the SHA2 of the public key.)
Please verify and check that the pull request fulfills the following requirements: