Fetch TSA certificates from TUF targets when available #3563
Assignees
Labels
enhancement
New feature or request
Comments
|
@haydentherapper i opened a draft PR for this, didn't write a tsalog_test, but wanted to get this 👀 first. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
The sigstore/sigstore TUF client has been updated to support the "TSA" usage type. We currently require the TSA cert chain to be provided by flag. We can also support reading the cert chain from either an environment or the TUF targets, to be more in line with how Fulcio certs or Rekor keys can be provided on verification. See RekorPubKeys as an example for how to support this. Ideally we can refactor all places where we read in the TSA cert chain via flag into a single function that reads from either a flag, env var, or TUF.
Note that as described in sigstore/scaffolding#1001, the usage type will be deprecated in the near future, but given the simplicity of adding this feature, it's worthwhile to do now.
The text was updated successfully, but these errors were encountered: