haydentherapper
commented
2 weeks ago I’m unaware of anyone using it as well. SGTM
Open kommendorkapten opened 2 weeks ago
haydentherapper
commented
2 weeks ago I’m unaware of anyone using it as well. SGTM
Description
Currently we ship GitHub's TSA as part of trusted_root.json
This was made in an effort to support the community and possibly the npm work with a TSA, but it's not used outside of GitHub to my knowledge.
The certificate for GitHub's TSA have now been rotated, and the rotation frequency is currently every 6 months (yes this is frequent!). This will pose a challenge for sigstore root signing to keep up.
I'm thinking if we should remove the TSA from
trusted_root.json?cc @trevrosen @bobcallaway @haydentherapper