Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bump: update go-tuf to pull in compatibility fix #672

Merged
merged 1 commit into from Sep 8, 2022
Merged

bump: update go-tuf to pull in compatibility fix #672

merged 1 commit into from Sep 8, 2022

Conversation

asraa
Copy link
Contributor

@asraa asraa commented Sep 7, 2022
edited

Signed-off-by: Asra Ali asraa@google.com

Summary

  • This updated go-tuf to allow support for PEM-encoded ECDSA keys, but includes a deprecated pkg to continue to support hec-encoded ECDSA keys as used in our root for a migration period.

Release Note

  • feat: Add support for verifying ECDSA PEM-encoded keys. Continues deprecated hex-encoded keys for backwards compat.

Documentation

@asraa
bump: update go-tuf to pull in compatibility fix
a53efd1 
Signed-off-by: Asra Ali <asraa@google.com>
@asraa
Copy link
Contributor Author

asraa commented Sep 7, 2022

@dlorenc @bobcallaway @trevrosen @SantiagoTorres @lukehinds

TSC members & @cpanato : this bump will allow us to migrate to PEM-encoded TUF-compliant ECDSA keys while allowing backwards compat for hex-encoded keys. Ideally a release for this would be great, so I can bump cosign, and we can include it in any next major and patch releases. It is critical clients pick this up with bumping cosign deps in the next 3 weeks so we can get TUF root compliance and compatibility.

I can create backport patches for cosign clients as well.

@cpanato cpanato requested a review from dlorenc September 7, 2022 22:14
@bobcallaway bobcallaway merged commit 15fc6d2 into sigstore:main Sep 8, 2022
mtrmac pushed a commit to mtrmac/sigstore that referenced this pull request Mar 10, 2023
@mattmoor
Create a helper to encapsulate a common pattern. (sigstore#672)
d3dabab 
Following up on sigstore/cosign#671 which identified a bunch of places we were incorrectly constructing the target tag name, this creates a helper that cuts this boilerplate down, since the majority of these call sites were following the exact same pattern and only computing the repo and hash for the tag construction.

Signed-off-by: Matt Moore <mattomata@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bobcallaway bobcallaway bobcallaway approved these changes

@cpanato cpanato cpanato approved these changes

@dlorenc dlorenc Awaiting requested review from dlorenc

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@asraa @bobcallaway @cpanato