Skip to content

Commit

Permalink
repo: Add workaround for sigstore KMS keyid
Browse files Browse the repository at this point in the history
The sigstore root-signing online key keyid was entered incorrectly:
Add a workaround here so there is more time to fix the actual keyid.

Fixes #422
  • Loading branch information
jku committed Sep 2, 2024
1 parent 317efea commit 1d90720
Showing 1 changed file with 9 additions and 0 deletions.
9 changes: 9 additions & 0 deletions repo/tuf_on_ci/_repository.py
Original file line number Diff line number Diff line change
Expand Up @@ -228,6 +228,15 @@ def close(self, rolename: str, md: Metadata) -> None:
for key in self._get_keys(rolename):
if rolename in ["timestamp", "snapshot"]:
uri = key.unrecognized_fields[TAG_ONLINE_URI]

# FIXME: workaround for issue #422, only needed while sigstore
# root-signing online key keyid is incorrect
if (
uri
== "gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp"
):
uri = "gcpkms:projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp/cryptoKeyVersions/1" # noqa: E501

signer = Signer.from_priv_key_uri(uri, key)
md.sign(signer, True)
else:
Expand Down

0 comments on commit 1d90720

Please sign in to comment.