Awesome, look forward to seeing your changes. I'd be more than willing to collaborate in any way that is useful for you and your team. Feel free to ping me on Sigstore Slack (I'm in the #python channel).

If you look at the branch I linked to above (https://github.com/joshuagl/sigstore-python/commits/joshuagl/tuf), you can see my WIP changes include initial retrieval of the TUF metadata and changes to access the certificates from a directory the TUF client fetches to, rather than accessing the bundled certificates using resourcelib (see joshuagl@e343366).

What's next is adapting to the pending v5 root-signing changes in sigstore/root-signing#430 where, instead of fetching a hard-coded set of targets, each of the certificates listed in the Targets metadata have additional metadata in the custom field that describes their usage.

For CTFE certificates we can query the metadata to retrieve only the targets in the which have custom.sigstore.usage == "CTFE". You can see how the Go Sigstore library is implementing this pattern in https://github.com/sigstore/sigstore/blob/fe89132b9369fc783254378ff8cfa68edfb64f72/pkg/fulcioroots/fulcioroots.go#L69 and https://github.com/sigstore/sigstore/blob/fe89132b9369fc783254378ff8cfa68edfb64f72/pkg/tuf/client.go#L373.

Retrieve CTFE signing key via TUF #25

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions