Note this hasn't been rolled out to staging yet, so it may fail.

/gcbrun

It'll be ~10 minutes til I update staging

Updated the root, please kick off GHA tests again

Still have a lot of test failures here, haven't looked into them yet: https://github.com/sigstore/sigstore-python/actions/runs/4601687825/jobs/8130389601?pr=594

A couple notes on things that have changed:

• New root, and we have both a version 1 and 2 of the root. this checks in version 1
• We're now using consistent snapshots, so all target files have a digest prepended to the file name
• We added a delegation for the npm registry
• We added trusted_root.json as another target file
• Same threshold of 1

Also I do have a backup of the original TUF repo if need be

/gcbrun

Didn't run the test suite on these changes when they were pending in sigstore/root-signing 🙃

The tests are failing because our offline tests depend on a local copy of the relevant TUF targets. Unfortunately, we can't just pull them down and shove them in because of the consistent snapshot hash format. I'm working on adapting the tests now and I'll update when I make some progress

Have been running into issues signing w/ staging:

env/bin/python -m sigstore --staging sign --overwrite test.txt
Failed to refresh TUF metadata.

        Please report this issue at <https://github.com/sigstore/sigstore-python/issues/new>.
        
For detailed error information, run sigstore with the `--verbose` flag.

Seems like the issue is happening with TUF refresh:

Traceback (most recent call last):
  File "/Users/tnytown/Documents/sw/sigstore-python/sigstore/_internal/tuf.py", line 170, in _updater
    updater.refresh()
  File "/Users/tnytown/Documents/sw/sigstore-python/env/lib/python3.10/site-packages/tuf/ngclient/updater.py", line 132, in refresh
    self._load_root()
  File "/Users/tnytown/Documents/sw/sigstore-python/env/lib/python3.10/site-packages/tuf/ngclient/updater.py", line 323, in _load_root
    self._trusted_set.update_root(data)
  File "/Users/tnytown/Documents/sw/sigstore-python/env/lib/python3.10/site-packages/tuf/ngclient/_internal/trusted_metadata_set.py", line 164, in update_root
    self.root.verify_delegate(Root.type, new_root)
  File "/Users/tnytown/Documents/sw/sigstore-python/env/lib/python3.10/site-packages/tuf/api/metadata.py", line 452, in verify_delegate
    raise exceptions.UnsignedMetadataError(
tuf.api.exceptions.UnsignedMetadataError: root was signed by 0/1 keys

The offline tests w/ mock fetcher seem to refresh() correctly, so I'm not exactly sure what's going on here

The offline tests w/ mock fetcher seem to refresh() correctly, so I'm not exactly sure what's going on here

Never mind, I figured it out: I had to delete the data dir in ~/Library/Application Support (I had previously deleted the folder in ~/Library/Caches and assumed that it was all.) Most tests pass correctly now!

@haydentherapper I've updated the requisite files in https://github.com/trail-of-forks/sigstore-python/tree/ap/wip-staging-root-update, if you'd like to pull from that (I can't update this PR directly because I only have triage perms)

@haydentherapper I've updated the requisite files in https://github.com/trail-of-forks/sigstore-python/tree/ap/wip-staging-root-update, if you'd like to pull from that (I can't update this PR directly because I only have triage perms)

@tnytown Given that this is currently failing the integration tests, I'd say you can go ahead and just create a separate PR rather than trying to coordinate merges between forks here.

Rolled into #602. Thanks @haydentherapper!