You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If we have KMS signing, we should consider key generation using the KMS: currently the process of rotating KMS keys would be very manual.
Key update process for a TUF key looks like this in general:
create key (locally, KMS, HW key)
if KMS: export the public key
elif HW key: export public key
else: upload the private key to signing key storage
convert public key to TUF format
add the key to delegating metadata
get metadata signed by delegating keys
I think securesystemslib should aim to provide steps 1-3 (or at least 2-3) for all key types with easy method calls.
This is already somewhat true for normal file based keys (just call keys.generate_*() and you're done)
I am not sure if you can create a GPG key with securesystemslib but gpg.export_pubkeys() handles numbers 2 & 3
For KMS (this is based on GCP experience, should roughly apply to others):
key generation is a KMS method and requires some specific permission. Takes some service specific algorithm parameters and returns a KMS key identifier -- this step could still stay manual (but note that the algorithm parameters are needed in step 3)
public key export is a KMS method and requires another permission. Takes key identifier as input and returns public key content
TUF public key can be created using the algorithm parameters and the public key content
The text was updated successfully, but these errors were encountered:
Current thinking: I believe most users would not want code that creates new keys. At least I don't want to give that permission on my projects... So key generation is not a super interesting feature.
Key import however is something useful: this is implemented in #480
This depends on #445.
If we have KMS signing, we should consider key generation using the KMS: currently the process of rotating KMS keys would be very manual.
Key update process for a TUF key looks like this in general:
I think securesystemslib should aim to provide steps 1-3 (or at least 2-3) for all key types with easy method calls.
keys.generate_*()
and you're done)For KMS (this is based on GCP experience, should roughly apply to others):
The text was updated successfully, but these errors were encountered: