From d7c03ca6aaf2137402620e56eb9197ee511fa32b Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Sat, 31 Aug 2024 12:24:04 +0300 Subject: [PATCH] repo: Add workaround for sigstore KMS keyid The sigstore root-signing online key keyid was entered incorrectly: Add a workaround here so there is more time to fix the actual keyid. Fixes #422 --- repo/tuf_on_ci/_repository.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/repo/tuf_on_ci/_repository.py b/repo/tuf_on_ci/_repository.py index 1f70e75..c629c14 100644 --- a/repo/tuf_on_ci/_repository.py +++ b/repo/tuf_on_ci/_repository.py @@ -228,6 +228,15 @@ def close(self, rolename: str, md: Metadata) -> None: for key in self._get_keys(rolename): if rolename in ["timestamp", "snapshot"]: uri = key.unrecognized_fields[TAG_ONLINE_URI] + + # FIXME: workaround for issue #422, only needed while sigstore + # root-signing online key keyid is incorrect + if ( + uri + == "gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp" + ): + uri = f"{uri}/cryptoKeyVersions/1" + signer = Signer.from_priv_key_uri(uri, key) md.sign(signer, True) else: