-
Notifications
You must be signed in to change notification settings - Fork 547
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade to latest Sigstore TUF client #3548
Labels
Comments
A few implementation notes:
|
Another implementation note, as per sigstore/sigstore-go#38, we can now initialize multiple clients for different repositories each with its own local cache, which covers the use case of verifying against multiple trusted roots (eg the public instance + a private instance). We can add this around the same time. |
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Tracking issue for the using the new Sigstore TUF client, https://github.com/sigstore/sigstore-go/blob/main/pkg/tuf/client.go. This client adds support for using the new trusted root metadata and improves caching logic.
This removes support for the per-target
custom
metadata, ie https://github.com/sigstore/scaffolding/blob/b0d09de38f7ea4ee5939a52cebadbc7127d4e127/pkg/repo/repo.go#L44-L48, which is used for private deployments. Given this will be a breaking change in Cosign, we can either switch to this client as part of Cosign 3.0, announce deprecation and wait X months, or support both TUF clients via a flag (temporarily, we would still announce deprecation of the previous TUF client).cc @codysoyland @kommendorkapten
Ref: sigstore/scaffolding#1001
The text was updated successfully, but these errors were encountered: