This was made in an effort to support the community and possibly the npm work with a TSA, but it's not used outside of GitHub to my knowledge.
The certificate for GitHub's TSA have now been rotated, and the rotation frequency is currently every 6 months (yes this is frequent!). This will pose a challenge for sigstore root signing to keep up.
I'm thinking if we should remove the TSA from trusted_root.json?
Description
Currently we ship GitHub's TSA as part of trusted_root.json
This was made in an effort to support the community and possibly the npm work with a TSA, but it's not used outside of GitHub to my knowledge.
The certificate for GitHub's TSA have now been rotated, and the rotation frequency is currently every 6 months (yes this is frequent!). This will pose a challenge for sigstore root signing to keep up.
I'm thinking if we should remove the TSA from
trusted_root.json
?cc @trevrosen @bobcallaway @haydentherapper