Skip to content

Commit 1d90720

Browse files
committed
repo: Add workaround for sigstore KMS keyid
The sigstore root-signing online key keyid was entered incorrectly: Add a workaround here so there is more time to fix the actual keyid. Fixes #422
1 parent 317efea commit 1d90720

File tree

1 file changed

+9
-0
lines changed

1 file changed

+9
-0
lines changed

repo/tuf_on_ci/_repository.py

+9
Original file line numberDiff line numberDiff line change
@@ -228,6 +228,15 @@ def close(self, rolename: str, md: Metadata) -> None:
228228
for key in self._get_keys(rolename):
229229
if rolename in ["timestamp", "snapshot"]:
230230
uri = key.unrecognized_fields[TAG_ONLINE_URI]
231+
232+
# FIXME: workaround for issue #422, only needed while sigstore
233+
# root-signing online key keyid is incorrect
234+
if (
235+
uri
236+
== "gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp"
237+
):
238+
uri = "gcpkms:projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp/cryptoKeyVersions/1" # noqa: E501
239+
231240
signer = Signer.from_priv_key_uri(uri, key)
232241
md.sign(signer, True)
233242
else:

0 commit comments

Comments
 (0)