root-signing project maintains the TUF repository used to securely deliver the Sigstore trust root (trusted_root.json) to Sigstore clients.
Note
root-signing is currently undergoing a migration to new maintenance tooling, see sigstore#929. Sigstore client operation should not be disrupted but the information in this README may be momentarily out of date.
The current published repository metadata lives in the repository subfolder of this GitHub repository. In this repository, you will find the top-level TUF metadata files, delegations, and target files.
- root.json: This is the current
root.json
. It is signed by at least 3 out of the 5 current root keyholders. The top-level signing keys endorsed by the root are:
Role | TUF Key ID(s) | Description |
---|---|---|
Root | See below | The offline keyholders. |
Targets | See below | The offline keyholders, the same as the root keyholders to minimize the number of offline keysets. |
Snapshot | fc61191ba8a516fe386c7d6c97d918e1d241e1589729add09b122725b8c32451 |
A GCP KMS snapshotting key located at projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/snapshot |
Timestamp | b6710623a30c010738e64c5209d367df1c0a18cf90e6ab5292fb01680f83453d |
A GCP KMS timestamping key located at projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp |
- targets.json: This is the list of trusted
targets.json
endorsed by the offline keyholders. It includes:
Target | Description |
---|---|
fulcio_v1.crt.pem | This is the Fulcio root certificate used to issue short-lived code signing certs. It is hosted at https://fulcio.sigstore.dev . You can curl the running root CA chain to ensure the first PEM-encoded certificate matches the TUF root using curl -v https://fulcio.sigstore.dev/api/v1/rootCert |
fulcio_intermediate_v1.crt.pem | This is the Fulcio intermediate certificate used to issue short-lived code signing certs. It is hosted at https://fulcio.sigstore.dev . You can curl the running CA chain to ensure the second PEM-encoded certificate matches the TUF root using curl -v https://fulcio.sigstore.dev/api/v1/rootCert |
fulcio.crt.pem | This is the Fulcio root certificate used with an older instance of Fulcio. We maintain this target to verify old certificates but is no longer used to sign newly issued certificates. |
rekor.pub | This is the Rekor public key used to sign entries and the tree head of the transparency log. You can retrieve the public key to ensure it matches with curl -H 'Content-Type: application/x-pem-file' https://rekor.sigstore.dev/api/v1/log/publicKey . |
rekor.0.pub | This is a dupe of rekor.pub and will be removed in the next root-signing event. |
ctfe.pub | Certificate Transparency log key for the first log shard (ctfe.sigstore.dev/test ), that is used for certificates issued by Fulcio and used to verify signed certificate timestamps (SCTs) for inclusion into the log. |
ctfe_2022.pub | Certificate Transparency log key for the 2022 log shard (ctfe.sigstore.dev/2022 ), that is used for certificates issued by Fulcio and used to verify signed certificate timestamps (SCTs) for inclusion into the log. |
artifact.pub | Key that signs Sigstore project (Cosign, Rekor, Fulcio) releases. |
- snapshot.json: The snapshot ensures consistency of the metadata files. It has a lifetime of 3 weeks and is re-signed by a GitHub workflow.
- timestamp.json: The timestamp indicates the freshness of the metadata files. It has a lifetime of 1 week and is re-signed by two GitHub workflows 1, 2.
There is a separate root-signing-staging repository: any non-trivial changes should be tested in root-signing-staging before introducing them in root-signing.
The current root is published on a GCS bucket located at https://storage.googleapis.com/sigstore-tuf-root
, and is addressable via CDN at https://tuf-repo-cdn.sigstore.dev
.
The pre-production root is published on a GCS bucket located at https://storage.googleapis.com/sigstore-preprod-tuf-root
, and is addressable via CDN at https://tuf-preprod-repo-cdn.sigstore.dev
.
Keyholder | TUF Key ID | Yubikey Material | Term |
---|---|---|---|
Joshua Lock | fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f (v9+) 2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de (v5-8) 75e867ab10e121fdef32094af634707f43ddd79c6bab8ad6c5ab9f03f4ea8c90 (deprecated) |
18158855 | July 2022 - |
Bob Callaway | e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523 (v9+) 7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b (v5-8) f505595165a177a41750a8e864ed1719b1edfccd5a426fd2c0ffda33ce7ff209 (deprecated) |
15938791 | June 2021 - |
Dan Lorenc | 3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e (v9+) ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c (v5-8) 2f64fb5eac0cf94dd39bb45308b98920055e9a0d8e012a7220787834c60aef97 (deprecated) |
13078778 | June 2021 - |
Marina Moore | ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e (v9+) 25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99 (v5-8) eaf22372f417dd618a46f6c627dbc276e9fd30a004fc94f9be946e73f8bd090b (deprecated) |
14470876 | June 2021 - |
Santiago Torres-Arias | 1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849 (v9+) f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f (v5-8) f40f32044071a9365505da3d1e3be6561f6f22d0e60cf51df783999f6c3429cb (deprecated) |
15938765 | June 2021 - |
Keyholder | TUF Key ID | Yubikey Material | Term |
---|---|---|---|
Luke Hinds | bdde902f5ec668179ff5ca0dabf7657109287d690bf97e230c21d65f99155c62 |
14454335 | June 2021 - July 2022 |
Ceremonies are currently staged in ceremony/YYYY-MM-DD
according to the date the ceremony was initiated. Ceremonies that resulted in invalid metadata (for whatever reason) and are incomplete are moved into the ceremony/defunct
directory.
At the end of the ceremony, new repository metadata will be written to a ceremony/YYYY-MM-DD/repository
directory.
The ceremony will be completed in five rounds:
- Round 1: Add Key
- Round 1.5: Initialize TUF metadata
- Round 2: Sign Root & Targets
- Round 3: Sign Snapshot & Timestamp
- Round 4: Publish final repository.
Before starting the root key ceremony, the community should:
- Designate the 5 root keyholders
- Elect one participant (not necessarily a keyholder) as the conductor
- Identify the targets to sign and update the
targets/
directory (these may include Fulcio's CA certificate, the rekor transparency log key, the CTFE key, and SigStore's artifact signing key) - Identify the online keys for snapshot and timestamp roles. The key references should be updated in
scripts/step-1.5.sh
.
If you are a keyholder follow instructions on the landing page KEYHOLDER.md.
If you are an orchestrator, follow instructions on ORCHESTRATION.md.
If you are a verifier, follow instructions at VERIFIER.md.
Special thanks to Dan Lorenc, Trishank Kuppusamy, Marina Moore, Santiago Torres-Arias, and the whole SigStore community!
A recording of the signing ceremony is available here.