sigstore / root-signing

TUF repository for Sigstore trust root
Apache License 2.0
90 stars 81 forks source link

Enable easier embedded root version updates for client codebases #817

Open jku opened 1 year ago

jku commented 1 year ago

Description

Clients embed a version of root metadata as the initial source of trust into their client apps and typically into their source code repos. They should also update that version sometimes, and it seems this is not always happening (see https://github.com/sigstore/sigstore/issues/1138)

The benefits of updating the embedded root are:

There is a downside too:

Possible ideas to fix

To make updates easy and to minimize the mentioned downside, sigstore root-signing could probably make things easier for client projects. Some potential ideas:

cc @joshuagl

joshuagl commented 1 year ago

I like the idea of having an action client implementers can choose to use. I think we should do that and make noise in the Sigstore client meeting so that folks are aware.

We should create a short Markdown doc in the repo here that the issue and the meeting can link to in order to understand why updating trusted root metadata to newer versions is useful as well as how to do the update securely.

jku commented 1 year ago

... create a reusable GH workflow that files an issue in the client github repo if the embedded root is not up-to-date

Thinking this through: We probably don't want to file the issue immediately when root-signing git changes: instead the trigger should be the published metadata changing (and even then preferably a couple of weeks after that time). So the workflow process would be

TODO: what do we suggest as the easiest way for client maintainers to fetch and store the new root? Running their own client and using the root file from their own local cache?