root-signing icon indicating copy to clipboard operation
root-signing copied to clipboard
verified publisher icon sigstore

[targets v11] What to do with the GitHub TSA in `trusted_root.json`

Open kommendorkapten opened this issue 1 year ago • 3 comments

Description

Currently we ship GitHub's TSA as part of trusted_root.json

This was made in an effort to support the community and possibly the npm work with a TSA, but it's not used outside of GitHub to my knowledge.

The certificate for GitHub's TSA have now been rotated, and the rotation frequency is currently every 6 months (yes this is frequent!). This will pose a challenge for sigstore root signing to keep up.

I'm thinking if we should remove the TSA from trusted_root.json?

cc @trevrosen @bobcallaway @haydentherapper

kommendorkapten avatar Jun 17 '24 12:06 kommendorkapten

I’m unaware of anyone using it as well. SGTM

haydentherapper avatar Jun 17 '24 15:06 haydentherapper

@jku fyi related to what we were chatting about, we can remove this as part of the next rotation

haydentherapper avatar Aug 07 '24 19:08 haydentherapper

Test in staging ongoing in https://github.com/sigstore/root-signing-staging/issues/157

jku avatar Aug 21 '24 11:08 jku

See https://github.com/sigstore/root-signing/pull/1412

kommendorkapten avatar Jan 17 '25 12:01 kommendorkapten