Sigstore uses a TUF repository to securely deliver the Sigstore trust root (trusted_root.json) to Sigstore clients, see root-signing. This project maintains a staging version of the root-signing TUF repository using tuf-on-ci: this is a development and testing resource and should never be used as an actual source of truth by Sigstore clients.
While the plan is to eventually maintain root-signing with the same processes as root-signing-staging, this is not currently the case.
More detail:
- infrastructure doc goes into detail about the required services and configuration.
- signer manual documents the process and requirements from signers perspective
root-signing-staging publishes the TUF repository at https://tuf-repo-cdn.sigstage.dev/
(see e.g. current timestamp metadata).
The TUF repository is modified in two ways:
- signing events where human signers collaborate to sign changes with hardware keys and
- online signing where the root-signing-staging machinery signs changes using KMS keys
Signing events are pull requests created and managed by root-signing-staging. They may happen for multiple reasons:
- Maintainer proposes a change to trusted_root.json
- Maintainer proposes a change to repository configuration (signer list, signature thresholds, etc)
- root-signing-staging proposes resigning when signatures are close to expiry
In all cases the trigger to creating a signing event is a push to a "sign/*" branch (either by maintainer or a workflow) .
Online signing happens in two situations:
- A signing event PR has been merged
- A online signature is close to expiry
In practice online signing happens at least every three days because of online signature expiry.
The important workflows in root-signing-staging are:
create-signing-eventscreates branches for signing events when signatures are close to expiry. Runs on schedulesigning-eventcreates and manages the signing event pull requests. Runs when "sign/*" branches are pushed toonline-signcommits and merges online signatures, also dispatchespublish. Runs on when "main" is pushed to (but can be manually dispatched at any time)publishpublishes a test repository to GitHub Pages, runs client tests, and finally publishes the repository. Runs on dispatch fromonline-sign
- Feel free to file an issue on this project
- tuf-on-ci issue tracking may be most useful for software issues, tuf-on-ci slack channel on CNCF slack works too