Description
We've chosen to split updating the trusted root (for verification) and the signing config (for signing) into two separate TUF metadata updates. The former allows clients who use a handcrafted signing config to verify Rekor v2 entries, while the latter will have clients automatically use Rekor v2 if the client has Rekor v2 support. To avoid breaking the verification path for clients, we will wait a few months for users to upgrade their clients and work with a few VIP clients and ecosystems to make sure the upgrade goes smoothly.
This issue tracks updating the SingingConfig in root-signing.
Description
We've chosen to split updating the trusted root (for verification) and the signing config (for signing) into two separate TUF metadata updates. The former allows clients who use a handcrafted signing config to verify Rekor v2 entries, while the latter will have clients automatically use Rekor v2 if the client has Rekor v2 support. To avoid breaking the verification path for clients, we will wait a few months for users to upgrade their clients and work with a few VIP clients and ecosystems to make sure the upgrade goes smoothly.
This issue tracks updating the SingingConfig in root-signing.