Sigstore uses a TUF repository to securely deliver the Sigstore trust root (trusted_root.json) to Sigstore clients, see root-signing.
This project maintains a staging version of the root-signing TUF repository using tuf-on-ci: this is a development and testing resource and should never be used as an actual source of truth by Sigstore clients. It should be used by client CI systems to verify that the clients are compatible with e.g. upcoming changes to trusted_root.json -- possibly via sigstore-conformance.
More detail:
- infrastructure doc goes into detail about the required services and configuration.
- root-signing playbooks and documentation largely apply to this repository as well.
Current signers and next known signing events are documented in the automatically generated repository description: https://tuf-repo-cdn.sigstage.dev/.
The TUF repository is modified in two ways:
- signing events where human signers collaborate to sign changes with hardware keys and
- online signing where the root-signing-staging machinery signs changes using KMS keys
Signing events are pull requests created and managed by root-signing-staging. They may happen for multiple reasons:
- Maintainer proposes a change to trusted_root.json
- Maintainer proposes a change to repository configuration (signer list, signature thresholds, etc)
- root-signing-staging proposes resigning when signatures are close to expiry
In all cases the trigger to creating a signing event is a push to a "sign/*" branch (either by maintainer or a workflow) .
Online signing happens in two situations:
- A signing event PR has been merged
- A online signature is close to expiry
In practice online signing happens at least every three days because of online signature expiry.
Online signing leads to a "testing" staging deployment at https://sigstore.github.io/root-signing-staging/. This is a fully functional TUF reppository that is then used to run both generic TUF client tests and Sigstore specific client tests (with cosign and other sigstore clients). Successful tests lead to a "final" staging deployment at https://tuf-repo-cdn.sigstage.dev/.
The important workflows in root-signing-staging are:
create-signing-eventscreates branches for signing events when signatures are close to expiry. Runs on schedulesigning-eventcreates and manages the signing event pull requests. Runs when "sign/*" branches are pushed toonline-signcommits and merges online signatures, also dispatchespublish. Runs on when "main" is pushed to (but can be manually dispatched at any time)publishpublishes a test repository to GitHub Pages, runs client tests, and finally publishes the repository. Runs on dispatch fromonline-sign
- Feel free to file an issue on this project
- tuf-on-ci issue tracking may be most useful for software issues, tuf-on-ci slack channel on CNCF slack works too