There are 2 classes of interesting TUF repository compromise scenarios and corresponding audit questions:
-
Repository hosting compromised and/or MITM, signing keys safe --> "Can the attacker affect the client in any way?"
-
Repository hosting compromised and/or MITM, signing keys compromised --> "Can the attacker affect the client beyond the capability of the compromised key in