You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It's currently possible to update a delegation role such that the existing targets/a_role.json file becomes invalid. This happens by removing the key(s) that have signed the currently available file from the role information contained in the parent file. Once in this situation the role cannot be republished because no client will successfully be able to pull that role.
Implement notary witness such that among other things, it can take a role that has been invalidated and resign it. Following is proposed syntax and scenarios:
Usage:
notary witness [ GUN ] < Target Name > ... [flags]
Flags:
--role Specifically add the targets to this role. If no targets are specified, simply resign the role if currently valid but short of signatures vs threshold; if invalid, bump version and expiry, then sign.
-i, --interactive Perform an interactive witness. If witnessing with targets this will ask the user to confirm each role they will be witnessing the target into. If perform without targets, it will ask the user to confirm the existing targets in the role they are signing.
It seems like adding targets and witnessing (that is, signing a piece of metadata to make it valid) should be separate affairs, since signing can also be used to reach the threshold of signatures.
Witnessing seems to me like saying "I've looked at this piece metadata, and I approve". Modifying it afterward doesn't seem to fit the witness use case.
But someone can pull down a repo that does not include the invalid target file, because it doesn't have enough signatures, witness it to make it valid and hence then download the target file, and then add/remove targets at will from it and publish the full set of changes up. (the order of operations is tricky here, since we may have to download the file to be witnessed separately from the repo downloading, and then once we sign it, attempt to load it into the repo).
It's currently possible to update a delegation role such that the existing
targets/a_role.json
file becomes invalid. This happens by removing the key(s) that have signed the currently available file from the role information contained in the parent file. Once in this situation the role cannot be republished because no client will successfully be able to pull that role.Implement
notary witness
such that among other things, it can take a role that has been invalidated and resign it. Following is proposed syntax and scenarios:cc @ecordell @NathanMcCauley @riyazdf @cyli
The text was updated successfully, but these errors were encountered: