Fixup: fix the first offline targets key rotation

Mike Sul found a regression in the recent changes related to multi-key support.
When there is no offline targets key yet - the `rotate-offline-keys --role=targets` fails.

A reason is that in a new code we always require an old key to exist inside the tgz file.
But that condition cannot be met when there are no offline targets keys yet.

A workaround is to use a new command `add-offline-key --role=targets`.
But, we need an existing command to behave the same way in this case for backward-compatibility.

Signed-off-by: Volodymyr Khoroz <[email protected]>

subcommands/keys/tuf_updates_rotate_offline_key.go

@@ -224,14 +224,18 @@ func replaceOfflineRootKey(
 func replaceOfflineTargetsKey(
 	root *client.AtsTufRoot, onlineTargetsId string, creds OfflineCreds, keyType TufKeyType,
 ) (TufSigner, OfflineCreds) {
-	oldKey, err := FindOneTufSigner(root, creds,
-		subcommands.SliceRemove(root.Signed.Roles["targets"].KeyIDs, onlineTargetsId))
-	subcommands.DieNotNil(err)
-	newKids := subcommands.SliceRemove(root.Signed.Roles["targets"].KeyIDs, oldKey.Id)
+	// Support first key rotation (no offline targets key yet) for backward-compatibility.
+	oldKids := root.Signed.Roles["targets"].KeyIDs
+	oldOfflineKids := subcommands.SliceRemove(oldKids, onlineTargetsId)
+	if len(oldOfflineKids) > 0 {
+		oldKey, err := FindOneTufSigner(root, creds, oldOfflineKids)
+		subcommands.DieNotNil(err)
+		oldKids = subcommands.SliceRemove(oldKids, oldKey.Id)
+	}
 
 	kp := genTufKeyPair(keyType)
 	root.Signed.Keys[kp.signer.Id] = kp.atsPub
-	root.Signed.Roles["targets"].KeyIDs = append(newKids, kp.signer.Id)
+	root.Signed.Roles["targets"].KeyIDs = append(oldKids, kp.signer.Id)
 	root.Signed.Roles["targets"].Threshold = 1
 
 	base := "tufrepo/keys/fioctl-targets-" + kp.signer.Id