This directory contains the programs needed to generate and verify SigStore root keys and create signed TUF metadata.

Ceremony Overview

At the end of the ceremony, new repository metadata will be written to a ceremony/YYYY-MM-DD/repository directory.

The ceremony will be completed in four rounds:

• Round 1: Add Key
• Round 2: Sign Root & Targets
• Round 3: Sign Snapshot
• Round 4: Sign Timestamp

There will be an interim step 1.5 to initialize the TUF metadata and a final step 5 to publish it.

Ceremony Instructions

Before starting the root key ceremony, the community should:

• Designate the 5 root keyholders
• Elect one participant (not necessarily a keyholder) as the conductor
• Identify the targets to sign and update the targets/ directory (these may include Fulcio's CA certificate, the rekor transparency log key, the CTFE key, and SigStore's artifact signing key)
• Identify the online keys for snapshot and timestamp roles. The key references should be updated in scripts/step-1.5.sh.

If you are a keyholder or ceremony conductor, follow instructions KEYHOLDER.md.

If you are a verifier, follow instructions at VERIFIER.md.

Acknowledgements

Special thanks to Dan Lorenc, Trishank Kuppusamy, Marina Moore, Santiago Torres-Arias, and the whole SigStore community!