The TUF mirror in this scaffolding stack does not serve a trusted_root.json, which is needed by sigstore-go to verify artifacts signed using a private sigstore deployment. Add documentation so that users can create this themselves using available community tooling. This may eventually be turned into part of the GitHub action so that clients can use the action for integration testing.
I couldn't find an official way of generating this file that felt safe to include as part of the createsecret service, but I still wanted to write this down so others don't fall down the same rabbit hole wondering why a client needs this apparently missing file. I used this to generate the trusted material for this PR because I needed to test the changes with a custom OIDC provider.
The TUF mirror in this scaffolding stack does not serve a trusted_root.json, which is needed by sigstore-go to verify artifacts signed using a private sigstore deployment. Add documentation so that users can create this themselves using available community tooling. This may eventually be turned into part of the GitHub action so that clients can use the action for integration testing.
I couldn't find an official way of generating this file that felt safe to include as part of the createsecret service, but I still wanted to write this down so others don't fall down the same rabbit hole wondering why a client needs this apparently missing file. I used this to generate the trusted material for this PR because I needed to test the changes with a custom OIDC provider.
Summary
Release Note
Documentation