search

sigstore / root-signing

TUF repository for Sigstore trust root
Apache License 2.0
85 stars 81 forks source link

sign-root-targets for joshuagl #1155

Closed joshuagl closed 6 months ago

joshuagl commented 6 months ago

Signing v9 production root & targets:

$ export GITHUB_USER=<your-user>
$ ./scripts/step-0.sh
$ go mod tidy
$ rm tuf
$ make tuf
$ BRANCH=ceremony/2024-03-12 ./scripts/step-2.sh
kommendorkapten commented 6 months ago 
$  ./scripts/verify.sh 1155
...
STAGED METADATA

Outputting metadata verification at /Users/kommendorkapten/git/root-signing/repository...

Verifying registry.npmjs.org.json...
    Success! Signatures valid and threshold achieved
    registry.npmjs.org version 3, expires 2024/09/12

Verifying root.json...
    Contains 1/3 valid signatures from the current staged metadata
    Contains 1/3 valid signatures from the previous root
    root version 9, expires 2024/09/12

Verifying targets.json...
    Contains 1/3 valid signatures from the current staged metadata
    targets version 9, expires 2024/09/12