updateframework signature format
I thought the following was cool. Still trying to understand exactly what the rules are for accepting new metadata and how much local state is consulted to do so. I certainly also have deployments that are updated far less often (annually?) than TUF's recommended key expiry. Unfortunately the TUF pypi mirror is down, but the RSA signatures for some example root metadata look like: "signatures": [ { "keyid": "b0aae9ed378b7a955966eaf8374200d65367f65dc5dc4a88254a6a6cf5024850", "method": "sha256-pkcs1", "sig": "H4jck9aILZA1kef7U+LtSj84Iak36gW3M4DqkHlbNNlojxglbfEhT16fhgLSncK7dOZ8fQWlCh6zHynfs/PEPM741WpblKgwR7XE8F1nkvT7cfvexuAF9MwLrlBCDqZLjKzW3gol02VYbZVYdGIVdPKzDILqPxneiPyaWXqW/C28Wmj74KKphe6INCV4ZeDVmIn6mOOiHUjCIpWViIARd1wZVaJA/j8PdB49JIfWTdY6A4KLRT/rH0UsLiLIy8biIr8oqpJPvmGAM0kB0/Mbj6mP5k0USFXP0RB15/JwgSDiIp3QW+86EjQ1t9SD1q+FV3fTwyE1t+4Cr4LD9GvJuQ" }, { ... And an RSA public key, indexed by its hash or fingerprint, is just: "2369aafcc29833ae4279e4384ea6a99d2343d02a80057502e81a82864e4ff439": { "keytype": "rsa", "keyval": { "e": "AQAB", "n": "giWZ7HQgDrG+GwCyxqoXsZSRkN5HvIFpJvYsmP50BXBsT2LQdyZcZKJc8OLImwvkmaXwntBD7yZEPZ2PkLKq87h3L+rJww2j/k5nn0RD0v/Blv9BY+rhHp5gWjjI4W5SCs02qmM7/X+62qQnTi6agCJaMD9Azyz57ySWtlLlVankp7PnZPEkxrX0AA8zaLcAZw+37eUgVCwl9zKJTF/4oaAuvH+TLwArAQXNJVrDaHFvWvwvsH3AzwN1pue2ZNn88BNRGxiUfpRdt15e14x8mz3Ye8mHuey8EXz82wTRzZJ0u+f8G1BVzuOBI3eljaDgNJU4X1vjnj/ltoOflyLP1w" } }
participants (1)
-
Daniel Holth