cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Fetch TSA certificates from TUF targets when available

Open haydentherapper opened this issue 1 year ago • 1 comments

Description

The sigstore/sigstore TUF client has been updated to support the "TSA" usage type. We currently require the TSA cert chain to be provided by flag. We can also support reading the cert chain from either an environment or the TUF targets, to be more in line with how Fulcio certs or Rekor keys can be provided on verification. See RekorPubKeys as an example for how to support this. Ideally we can refactor all places where we read in the TSA cert chain via flag into a single function that reads from either a flag, env var, or TUF.

Note that as described in https://github.com/sigstore/scaffolding/issues/1001, the usage type will be deprecated in the near future, but given the simplicity of adding this feature, it's worthwhile to do now.

haydentherapper avatar Feb 28 '24 18:02 haydentherapper

@haydentherapper i opened a draft PR for this, didn't write a tsalog_test, but wanted to get this 👀 first.

ianhundere avatar Mar 15 '24 19:03 ianhundere