I thought the following was cool. Still trying to understand exactly what
the rules are for accepting new metadata and how much local state is
consulted to do so. I certainly also have deployments that are updated far
less often (annually?) than TUF's recommended key expiry.
Unfortunately the TUF pypi mirror is down, but the RSA signatures for some
example root metadata look like:
"signatures": [
{
"keyid":
"b0aae9ed378b7a955966eaf8374200d65367f65dc5dc4a88254a6a6cf5024850",
"method": "sha256-pkcs1",
"sig":
"H4jck9aILZA1kef7U+LtSj84Iak36gW3M4DqkHlbNNlojxglbfEhT16fhgLSncK7dOZ8fQWlCh6zHynfs/PEPM741WpblKgwR7XE8F1nkvT7cfvexuAF9MwLrlBCDqZLjKzW3gol02VYbZVYdGIVdPKzDILqPxneiPyaWXqW/C28Wmj74KKphe6INCV4ZeDVmIn6mOOiHUjCIpWViIARd1wZVaJA/j8PdB49JIfWTdY6A4KLRT/rH0UsLiLIy8biIr8oqpJPvmGAM0kB0/Mbj6mP5k0USFXP0RB15/JwgSDiIp3QW+86EjQ1t9SD1q+FV3fTwyE1t+4Cr4LD9GvJuQ"
},
{
...
And an RSA public key, indexed by its hash or fingerprint, is just:
"2369aafcc29833ae4279e4384ea6a99d2343d02a80057502e81a82864e4ff439": {
"keytype": "rsa",
"keyval": {
"e": "AQAB",
"n":
"giWZ7HQgDrG+GwCyxqoXsZSRkN5HvIFpJvYsmP50BXBsT2LQdyZcZKJc8OLImwvkmaXwntBD7yZEPZ2PkLKq87h3L+rJww2j/k5nn0RD0v/Blv9BY+rhHp5gWjjI4W5SCs02qmM7/X+62qQnTi6agCJaMD9Azyz57ySWtlLlVankp7PnZPEkxrX0AA8zaLcAZw+37eUgVCwl9zKJTF/4oaAuvH+TLwArAQXNJVrDaHFvWvwvsH3AzwN1pue2ZNn88BNRGxiUfpRdt15e14x8mz3Ye8mHuey8EXz82wTRzZJ0u+f8G1BVzuOBI3eljaDgNJU4X1vjnj/ltoOflyLP1w"
}
}
_______________________________________________
Distutils-SIG maillist - [email protected]
http://mail.python.org/mailman/listinfo/distutils-sig
