Add new version of TrustedRoot #1499
Description
Description
Since the first TrustedRoot version, we've added two new fields:
- Checkpoint key ID, Revise checkpoint key ID comment, deprecate log ID protobuf-specs#629, to distinguish between log ID (always
SHA256(PKIX public key)) and checkpoint key ID (computed based on https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures). In Rekor v1, these may be distinct if the log key is not an ECDSA key. For Rekor v2, there is no longer a concept of a log ID, so we've been reusing the log ID field to contain the checkpoint key ID. - Operator, Add operator for SigningConfig services, log and TSA roots protobuf-specs#634. Operator was added for SigningConfig structs to group log deployments together by operator, e.g. sigstore.dev or a company. Operator was also added to TrustedRoot so that clients that support verification policies (i.e. sigstore-go) can use the Operator field to select only distinct log operators to count towards thresholds.
In updating the SigningConfig and adding the Operator field, we realized that simply adding a new field to a proto isn't a breaking change, but actually setting that field and trying to parse JSON causes a parser error, effectively making new fields breaking changes.
We need to create a new TrustedRoot, trusted_root.v0.2.json (following the new versioning convention), with the checkpoint key ID and operator fields set.