Skip to content
This repository has been archived by the owner on Jun 18, 2021. It is now read-only.

sigstore/root-signing-practice

Repository files navigation

This directory contains the programs needed to generate and verify SigStore root keys and create signed TUF metadata.

Ceremony Overview

At the end of the ceremony, new repository metadata will be written to a ceremony/YYYY-MM-DD/repository directory.

The ceremony will be completed in four rounds:

image

  • Round 1: Add Key
  • Round 2: Sign Root & Targets
  • Round 3: Sign Snapshot
  • Round 4: Sign Timestamp

There will be an interim step 1.5 to initialize the TUF metadata and a final step 5 to publish it.

Ceremony Instructions

Before starting the root key ceremony, the community should:

  • Designate the 5 root keyholders
  • Elect one participant (not necessarily a keyholder) as the conductor
  • Identify the targets to sign and update the targets/ directory (these may include Fulcio's CA certificate, the rekor transparency log key, the CTFE key, and SigStore's artifact signing key)

If you are a keyholder or ceremony conductor, follow instructions KEYHOLDER.md.

If you are a verifier, follow instructions at VERIFIER.md.

Acknowledgements

Special thanks to Dan Lorenc, Trishank Kuppusamy, Marina Moore, Santiago Torres-Arias, and the whole SigStore community!

About

Root TUF Key Signing

Resources

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published