New TUF trust root and client compatibility
30 views
Skip to first unread message
Hayden Blauzvern
Mar 14, 2024, 4:26:25 PMMar 14
to sigstore-dev
We are planning to publish a new TUF trust root for Sigstore. This update does not contain any functional changes, but it does update to the latest version of the TUF specification. This means that older clients may not be able to load it properly. The current compatibility is as follows:
* cosign
- v2.2.0+ (Released Aug 31st 2023) works, older cosign v2 clients will not work
- v1.x will not work, though we are backporting support with an upcoming v1.13.3 release. We strongly encourage updating to cosign v2 for the latest bug and security fixes
* sigstore-js: no known issues
* sigstore-python: no known issues
* sigstore-java: no known issues
* sigstore-rust: the TUF client it uses does not support the latest TUF spec. See this issue for more information. We are actively working on fixing this.
The updated TUF trust root will be deployed within the next week. As a reminder, if you're using one of the compatible clients, the update will happen seamlessly when you sign or verify, as new TUF metadata is automatically fetched and verified.
If you have any concerns, please let us know. You can reach out on Slack on #sigstore-keyholders.
* cosign
- v2.2.0+ (Released Aug 31st 2023) works, older cosign v2 clients will not work
- v1.x will not work, though we are backporting support with an upcoming v1.13.3 release. We strongly encourage updating to cosign v2 for the latest bug and security fixes
* sigstore-js: no known issues
* sigstore-python: no known issues
* sigstore-java: no known issues
* sigstore-rust: the TUF client it uses does not support the latest TUF spec. See this issue for more information. We are actively working on fixing this.
The updated TUF trust root will be deployed within the next week. As a reminder, if you're using one of the compatible clients, the update will happen seamlessly when you sign or verify, as new TUF metadata is automatically fetched and verified.
If you have any concerns, please let us know. You can reach out on Slack on #sigstore-keyholders.
Reply all
Reply to author
Forward
0 new messages