Feature: support online and offline key(s) for targets metadata role

Question

Feature: support online and offline key(s) for targets metadata role

MVrachev opened this issue a year ago · comments

What is the feature about?

We have decided that all metadata roles except root will use the same online key (see the references below).
That is what is done in PEP 458 design and the use case of Warehouse and we want to support it.
On the other hand, we had discussions with in-toto where they mentioned that they want to use RSTUF, but they want their targets key to be offline.

For now, we have decided that we will focus on the Warehouse case and we can figure out if we still want to propose offline targets key as an option in the future.

However, in a meeting today with @kairoaraujo we came up with a proposal on how to support both scenarios when targets role uses the same online key as the other roles and when it uses multiple offline keys.
We can do that by introducing a new flag that we can call (we can change the name): targets_online_key.
This flag will be True by default and will be used to define whether we should use the same online key for the targets role.
If its value is False we will expect that the user will provide a whole targets metadata file content as described in the TUF spec.

In order to implement this feature the tasks we envision are:

support targets_online_key flag in RSTUF API and RSTUF worker
make sure that RSTUF worker validates the given targets metadata informatio by:

load Metadata[Targets] class instance (this will verify the metadata information)
verify that the keys used to sign the targets metadata role are part of the keys defined for the target's role by root

add targets_online_key as an option in the RSTUF CLI

We think that steps 1 and 2 are the important ones and that step 3 could be a little tricky as it will require adding new questions for targets if the user wants to use an offline key.

Services it relates to

repository-service-for-tuf-cli, repository-service-for-tuf-api, repository-service-for-tuf-worker

Related tasks

Code of Conduct

I agree to follow this project's Code of Conduct

Kairo Araujo · Answer 1 · Thu Feb 16 2023 19:15:48 GMT+0800 (China Standard Time)

That is what is done in PEP 458 design and the use case of Warehouse and we want to support it.
On the other hand, we had discussions with in-toto where they mentioned that they want to use RSTUF, but they want their targets key to be offline.

It is also required for implementing PEP 480( Warehouse/PyPI) support in RSTUF.

Kairo Araujo · Answer 2 · Thu Feb 16 2023 19:16:39 GMT+0800 (China Standard Time)

Awesome description @MVrachev

Kairo Araujo · Answer 3 · Mon May 29 2023 17:32:32 GMT+0800 (China Standard Time)

Related feature:

#23
This feature lets users change the metadata settings, keys, and signatures.
#327
This feature enables asynchronous and distributed signing for the Targets Metadata

The above features could even give the user to switch Targets to online or offline keys