Feature: support online and offline key(s) for targets metadata role
MVrachev opened this issue · comments
What is the feature about?
We have decided that all metadata roles except root
will use the same online key (see the references below).
That is what is done in PEP 458 design and the use case of Warehouse
and we want to support it.
On the other hand, we had discussions with in-toto
where they mentioned that they want to use RSTUF
, but they want their targets
key to be offline
.
For now, we have decided that we will focus on the Warehouse
case and we can figure out if we still want to propose offline targets key as an option in the future.
However, in a meeting today with @kairoaraujo we came up with a proposal on how to support both scenarios when targets
role uses the same online key as the other roles and when it uses multiple offline keys.
We can do that by introducing a new flag that we can call (we can change the name): targets_online_key
.
This flag will be True
by default and will be used to define whether we should use the same online key for the targets
role.
If its value is False
we will expect that the user will provide a whole targets
metadata file content as described in the TUF spec.
In order to implement this feature the tasks we envision are:
- support
targets_online_key
flag inRSTUF API
andRSTUF worker
- make sure that
RSTUF worker
validates the giventargets
metadata informatio by:
- load
Metadata[Targets]
class instance (this will verify the metadata information) - verify that the keys used to sign the
targets
metadata role are part of the keys defined for the target's role byroot
- add
targets_online_key
as an option in theRSTUF CLI
We think that steps 1
and 2
are the important ones and that step 3
could be a little tricky as it will require adding new questions for targets
if the user wants to use an offline key.
Services it relates to
repository-service-for-tuf-cli, repository-service-for-tuf-api, repository-service-for-tuf-worker
Related tasks
Code of Conduct
- I agree to follow this project's Code of Conduct
That is what is done in PEP 458 design and the use case of
Warehouse
and we want to support it.
On the other hand, we had discussions within-toto
where they mentioned that they want to useRSTUF
, but they want theirtargets
key to beoffline
.
It is also required for implementing PEP 480( Warehouse/PyPI) support in RSTUF.
Awesome description @MVrachev