Reviewed 5 of 5 files at r1.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on @oncilla)

go/tools/scion-pki/internal/v2/trc/sign.go, line 109 at r1 (raw file):

genSignatures

wouldn't sign or signTRC be more appropriate?

go/tools/scion-pki/internal/v2/trc/sign.go, line 113 at r1 (raw file):

	signatures := make(map[trc.Protected]trc.Signature)
	// FIXME(roosd): Here votes should be cast in updates.

I guess that refers to the fact that you do nothing with t.Votes ?

go/tools/scion-pki/internal/v2/trc/util.go, line 65 at r1 (raw file):

	})
	sigs := make([]trc.Signature, len(keys))
	for i, key := range keys {

I usually prefer the non-indexed loop for consistency and because it works "always" no matter how sigs is defined.

	sigs := make([]trc.Signature, 0, len(keys))
	for _, key := range keys {
		sigs = append(sigs, signatures[key])
	}

Reviewable status: 3 of 5 files reviewed, 2 unresolved discussions (waiting on @lukedirtwalker)

go/tools/scion-pki/internal/v2/trc/sign.go, line 109 at r1 (raw file):

Done.

go/tools/scion-pki/internal/v2/trc/sign.go, line 113 at r1 (raw file):

Yes. But since we do not support TRC updates yet, this is fine :)
A base TRC does not have votes.

The issue with TRC updates is, that we do not have properly defined how to do key management yet.
Key generation, update generation will largely depend on that.

My goal is to have some working CP-PKI with base TRCs + certificates and then implement the trust store.
Adding TRC updates can be done when key management is resolved.

Reviewed 2 of 2 files at r2.
Reviewable status: complete! all files reviewed, all discussions resolved