Sigstore uses a TUF repository to securely deliver the _Sigstore trust root (trustedroot.json) to Sigstore clients, see root-signing. This project maintains a staging version of the root-signing TUF repository using tuf-on-ci: this is a development and testing resource and should never be used as an actual source of truth by Sigstore clients.
While the plan is to eventually maintain root-signing with the same processes as root-signing-staging, this is not currently the case.
More detail:
Current signers and next known signing events are documented in the automatically generated repository description: https://tuf-repo-cdn.sigstage.dev/.
The TUF repository is modified in two ways:
Signing events are pull requests created and managed by root-signing-staging. They may happen for multiple reasons:
In all cases the trigger to creating a signing event is a push to a "sign/*" branch (either by maintainer or a workflow) .
Online signing happens in two situations:
In practice online signing happens at least every three days because of online signature expiry.
Online signing leads to a "testing" staging deployment at https://sigstore.github.io/root-signing-staging/. This is a fully functional TUF reppository that is then used to run both generic TUF client tests and Sigstore specific client tests (with cosign and other sigstore clients). Successful tests lead to a "final" staging deployment at https://tuf-repo-cdn.sigstage.dev/.
The important workflows in root-signing-staging are:
create-signing-events
creates branches for signing events when signatures are close to expiry.
Runs on schedulesigning-event
creates and manages the signing event pull requests. Runs when "sign/*" branches
are pushed toonline-sign
commits and merges online signatures, also dispatches publish
. Runs on when
"main" is pushed to (but can be manually dispatched at any time)publish
publishes a test repository to GitHub Pages, runs client tests, and finally publishes
the repository. Runs on dispatch from online-sign