Change in-toto-sign supported key file formats #654
Merged
+87
−197
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lukpueh
force-pushed
the
upgrade-in-toto-sign
branch
2 times, most recently
from
e117800 to
75f1ea9
Compare
lukpueh
changed the title
Changes `in-toto-sign` to expect pem/pkcs8 signing keys and pem/subjectPublicKeyInfo verification keys passed with the `--key` argument. `--key-type` is now obsolete and removed. Otherwise the behavior of in-toto-sign remains the same. This is part of a series of patches to prepare for removal of legacy securesystemslib interfaces and key file formats. **Change details** Unlike, in-toto-verify (in-toto#652) and in-toto-run/record (in-toto#651, in-toto#649), where new arguments were introduced for the new formats, and deprecation warnings were added to the old arguments, in-toto-sign is changed directly. This is because, the main use cases for in-toto-sign have been: - in-toto maintainers re-signing test/demo metadata - layout-web-tool users signing online-generated layouts Given that the layout-web-tool is currently offline for revision (in-toto/layout-web-tool#70) and in-toto maintainers should be easily able to adapt, a direct change is not expected to disrupt anyone's operations. IMO this can even be released as part of a minor version bump. **Test change details** - use new pre-generated key files instead of demo key files (but keep using demo metadata) - update expected keyid link file name where necessary - remove `--key-type` in cli invocations - remove `--key-type` -specific tests - remove obsolete test case, which uses 4 keys Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
lukpueh
force-pushed
the
upgrade-in-toto-sign
branch
from
75f1ea9 to
21b9724
Compare
adityasaky
approved these changes
Dec 6, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes
in-toto-signto expect pem/pkcs8 signing keys andpem/subjectPublicKeyInfo verification keys passed with the
--keyargument.
--key-typeis now obsolete and removed.Otherwise the behavior of in-toto-sign remains the same.
This is part of a series of patches to prepare for removal of legacy
securesystemslib interfaces and key file formats.
Change details
Unlike, in-toto-verify (#652) and in-toto-run/record (#651, #649), where
new arguments were introduced for the new formats, and deprecation
warnings were added to the old arguments, in-toto-sign is changed
directly.
This is because, the main use cases for in-toto-sign have been:
Given that the layout-web-tool is currently offline for revision
(in-toto/layout-web-tool#70) and in-toto
maintainers should be easily able to adapt, a direct change is not
expected to disrupt anyone's operations.
IMO this can even be released as part of a minor version bump.
Test change details
using demo metadata)
--key-typein cli invocations--key-type-specific tests