Sigstore uses a TUF repository to securely deliver the Sigstore trust root (trusted_root.json) to Sigstore clients, see root-signing. This project maintains a staging version of the root-signing TUF repository using tuf-on-ci: this is a development and testing resource and should never be used as an actual source of truth by Sigstore clients.
While the plan is to eventually maintain root-signing with the same processes as root-signing-staging, this is not currently the case.
More detail:
- infrastructure doc goes into detail about the required services and configuration.
- signer manual documents the process and requirements from signers perspective
Current signers and next known signing events are documented in the automatically generated repository description: https://tuf-repo-cdn.sigstage.dev/.
The TUF repository is modified in two ways:
- signing events where human signers collaborate to sign changes with hardware keys and
- online signing where the root-signing-staging machinery signs changes using KMS keys
Signing events are pull requests created and managed by root-signing-staging. They may happen for multiple reasons:
- Maintainer proposes a change to trusted_root.json
- Maintainer proposes a change to repository configuration (signer list, signature thresholds, etc)
- root-signing-staging proposes resigning when signatures are close to expiry
In all cases the trigger to creating a signing event is a push to a "sign/*" branch (either by maintainer or a workflow) .
Online signing happens in two situations:
- A signing event PR has been merged
- A online signature is close to expiry
In practice online signing happens at least every three days because of online signature expiry.
Online signing leads to a "testing" staging deployment at https://sigstore.github.io/root-signing-staging/. This is a fully functional TUF reppository that is then used to run both generic TUF client tests and Sigstore specific client tests (with cosign and other sigstore clients). Successful tests lead to a "final" staging deployment at https://tuf-repo-cdn.sigstage.dev/.
The important workflows in root-signing-staging are:
create-signing-events
creates branches for signing events when signatures are close to expiry. Runs on schedulesigning-event
creates and manages the signing event pull requests. Runs when "sign/*" branches are pushed toonline-sign
commits and merges online signatures, also dispatchespublish
. Runs on when "main" is pushed to (but can be manually dispatched at any time)publish
publishes a test repository to GitHub Pages, runs client tests, and finally publishes the repository. Runs on dispatch fromonline-sign
- Feel free to file an issue on this project
- tuf-on-ci issue tracking may be most useful for software issues, tuf-on-ci slack channel on CNCF slack works too