repo: Add workaround for sigstore KMS keyid

The sigstore root-signing online key keyid was entered incorrectly: Add a workaround here so there is more time to fix the actual keyid. Fixes #422
theupdateframework · Aug 31, 2024 · d7c03ca · d7c03ca
1 parent 317efea
commit d7c03ca
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/repo/tuf_on_ci/_repository.py b/repo/tuf_on_ci/_repository.py
@@ -228,6 +228,15 @@ def close(self, rolename: str, md: Metadata) -> None:
         for key in self._get_keys(rolename):
             if rolename in ["timestamp", "snapshot"]:
                 uri = key.unrecognized_fields[TAG_ONLINE_URI]
+
+                # FIXME: workaround for issue #422, only needed while sigstore
+                # root-signing online key keyid is incorrect
+                if (
+                    uri
+                    == "gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp"
+                ):
+                    uri = f"{uri}/cryptoKeyVersions/1"
+
                 signer = Signer.from_priv_key_uri(uri, key)
                 md.sign(signer, True)
             else: