Other: do not use keyid as online private key file name

[lukpueh]

What do you want to share with us?

When adding a new online key in the ceremony (and metadata update) CLI, the default keyid is assigned as private key URI (file name) of the online key:

repository-service-tuf-cli/repository_service_tuf/cli/admin/helpers.py

Lines 338 to 339 in a35b820

	uri = f"fn:{new_key.keyid}"
	new_key.unrecognized_fields[KEY_URI_FIELD] = uri

repository-service-tuf-cli/repository_service_tuf/cli/admin/helpers.py

Line 347 in a35b820

console.print(f"Expected private key file name is: '{new_key.keyid}'")

This assumes that the user runs the CLI, notes down the name, and then deploys the online private key file.

However, the CLI's default behavior is to ultimately send the updated metadata to the RSTUF API. This triggers online signing, which requires the online key to already be deployed. So the key file name should be known before running the CLI.

Fix

An easy fix would be to ask the user for the private key filename, under which the user has deployed the key.

• we could re-use the already provided public key file name (together with some basic .pub-suffix stripping):
  

  repository-service-tuf-cli/repository_service_tuf/cli/admin/helpers.py

  Line 157 in a35b820

  path = Prompt.ask("\nPlease enter path to public key")

• we could also re-use the key name:
  

  repository-service-tuf-cli/repository_service_tuf/cli/admin/helpers.py

  Lines 335 to 336 in a35b820

  	name = _key_name_prompt(root)
  	new_key.unrecognized_fields[KEY_NAME_FIELD] = name

kudos to @simi for pointing out the flaw in the workflow

References

See in repository-service-tuf/repository-service-tuf#580 (Option 2) for context about private key URIs.

Coordinate with #608, which adds support for HashiCorp Vault private key URIs to the CLI.

Code of Conduct

• I agree to follow this project's Code of Conduct