Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TUF root update blog post #58

Merged
merged 2 commits into from
Mar 17, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions content/tuf-root-update.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
+++
title = "Sigstore Announcement: New TUF Trust Root and Client Compatibility"
date = "2024-03-14"
tags = ["sigstore","cosign","tuf"]
draft = false
author = "Sigstore TSC"
type = "post"
+++

## New TUF Trust Root

We are planning to publish a new TUF trust root for Sigstore. This update does not contain any functional changes,
but it does update to the latest version of the TUF specification.
This means that older clients may not be able to load it properly. The current compatibility is as follows:

* Cosign
- **Releases >= v2.2.0** (v2.2.0 released Aug 31st 2023) work. Older Cosign clients (< v2.2.0) will not work
- **v1.x** will not work, though we are backporting support with an upcoming v1.13.3 release. We strongly encourage updating to Cosign v2 for the latest bug and security fixes
* **sigstore-js**: no known issues
* **sigstore-python**: no known issues
* **sigstore-java**: no known issues
* **sigstore-rust**: the TUF client it uses does not support the latest TUF spec. See [this issue](https://github.com/awslabs/tough/issues/754) for more information. We are actively working on fixing this.

The updated TUF trust root will be deployed within the next week.

## Do I need to do anything?

If you're using one of the compatible clients, the update will happen seamlessly when you sign or verify, as new TUF metadata is automatically fetched and verified.

If you're using Cosign v1.x, please update to Cosign v2 or download the upcoming v1.13.3 release. If you're using the Rust client, we'll have a fix out shortly.

## How to reach out?

If you have any concerns, please let us know. You can reach out on Slack on #sigstore-keyholders.
Loading