Skip to content

Update embedded TUF root #1300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Feb 10, 2025
Merged

Update embedded TUF root #1300

merged 2 commits into from
Feb 10, 2025

Conversation

jku
Copy link
Member

@jku jku commented Feb 10, 2025
edited
Loading

This makes client a little snappier on first launch. This is the result of:

  python -m sigstore sign README.md # just to update local TUF cache
  cp ~/.local/share/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/root.json \
      sigstore/_store/prod/root.json
  cp ~/.cache/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/trusted_root.json \
      sigstore/_store/prod/trusted_root.json

This uses sigstore-python to update the local TUF cache during the signing, then embeds the new good TUF root (and trusted root) in the source dir

The above is also a good way for others to verify this PR is correct (just run python-sigstore from current main first, only then switch to PR branch)

@jku
Update embedded TUF root
1ae126b 
This makes client a little snappier on first launch. This is the result of:

  python -m sigstore sign README.md
  cp ~/.local/share/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/root.json \
      sigstore/_store/prod/root.json
  cp ~/.cache/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/trusted_root.json \
      sigstore/_store/prod/trusted_root.json

This uses sigstore-python to update the local TUF cache during the
signing, then embeds the new good TUF root (and trusted root) in the
source dir

This is also a good way for others to verify this PR is correct
(just remember to run python-sigstore from current main, only then
switch to PR branch)

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
woodruffw
woodruffw approved these changes Feb 10, 2025
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, LGTM! I confirmed locally as well as against https://tuf-repo-cdn.sigstore.dev/.

Random thought: it'd be nice to have make bump-embedded-root or similar to automate this in the future. We could then stick it in the CI on a cron trigger 🙂

@woodruffw woodruffw enabled auto-merge (squash) February 10, 2025 15:31
@woodruffw woodruffw merged commit 676acfe into sigstore:main Feb 10, 2025
23 checks passed
@jku jku mentioned this pull request Feb 10, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@woodruffw woodruffw woodruffw approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jku @woodruffw