Closed patflynn closed 4 weeks ago
Here is a list of follow on items that I need to do:
Obviously as we add more resource types we need to refactor. The good news is most of the weirdness in the parsing and verification has been tackled so the rest of the resources should be pretty quick. (famous last words).
The question is how the default caching should work.
It would be weird if every signing would require TUF update.
On the other hand, if we claim $HOME/.sigstore-java/caches/tuf
, then we would need to plan for concurrent access (e.g. multiple sigstore-java
trying to update TUF concurrently).
On the other hand, it might be fun to have cross-ecosystem TUF cache, so the cache folder could be like .sigstore/caches/tuf
@vlsi take a look at https://docs.google.com/document/d/1QWBvpwYxOy9njAmd8vpizNQpPti9rd5ugVhji0r3T4c/edit for the way the local store is supposed to work. We expect to store the local cache under ~/.sigstore by default and then there's going to probalby be a sub-directory per client-spec (map.json), that we would probably create from the client.
done!
Currently we have statically included the Rekor and Fulcio public keys into the library. These keys should be updatable via TUF.