Skip to content

Commit

Permalink
Update the README.md with the new key id for v9 root. (#1133)
Browse files Browse the repository at this point in the history 
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
  • Loading branch information
@kommendorkapten
kommendorkapten committed Feb 29, 2024
1 parent dd5e1c2 commit 56bc6fd
Showing 1 changed file with 19 additions and 19 deletions.
38 changes: 19 additions & 19 deletions README.md
View file
Expand Up @@ -14,20 +14,20 @@ The current published repository metadata lives in the [repository](/repository/

* [targets.json](repository/repository/targets.json): This is the list of trusted `targets.json` endorsed by the offline keyholders. It includes:

| Target | Description |
|---------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [fulcio_v1.crt.pem](targets/fulcio_v1.crt.pem) | This is the [Fulcio](https://github.com/sigstore/fulcio) root certificate used to issue short-lived code signing certs. It is hosted at `https://fulcio.sigstore.dev`. You can `curl` the running root CA chain to ensure the first PEM-encoded certificate matches the TUF root using `curl -v https://fulcio.sigstore.dev/api/v1/rootCert` |
| Target | Description |
|--------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [fulcio_v1.crt.pem](targets/fulcio_v1.crt.pem) | This is the [Fulcio](https://github.com/sigstore/fulcio) root certificate used to issue short-lived code signing certs. It is hosted at `https://fulcio.sigstore.dev`. You can `curl` the running root CA chain to ensure the first PEM-encoded certificate matches the TUF root using `curl -v https://fulcio.sigstore.dev/api/v1/rootCert` |
| [fulcio_intermediate_v1.crt.pem](targets/fulcio_intermediate_v1.crt.pem) | This is the [Fulcio](https://github.com/sigstore/fulcio) intermediate certificate used to issue short-lived code signing certs. It is hosted at `https://fulcio.sigstore.dev`. You can `curl` the running CA chain to ensure the second PEM-encoded certificate matches the TUF root using `curl -v https://fulcio.sigstore.dev/api/v1/rootCert` |
| [fulcio.crt.pem](targets/fulcio.crt.pem) | This is the Fulcio root certificate used with an older instance of Fulcio. We maintain this target to verify old certificates but is no longer used to sign newly issued certificates. |
| [rekor.pub](targets/rekor.pub) | This is the [Rekor](https://github.com/sigstore/rekor) public key used to sign entries and the tree head of the transparency log. You can retrieve the public key to ensure it matches with `curl -H 'Content-Type: application/x-pem-file' https://rekor.sigstore.dev/api/v1/log/publicKey`. |
| [rekor.0.pub](targets/rekor.0.pub) | This is a dupe of `rekor.pub` and will be removed in the next root-signing event. |
| [ctfe.pub](targets/ctfe.pub) | Certificate Transparency log key for the first log shard (`ctfe.sigstore.dev/test`), that is used for certificates issued by Fulcio and used to verify signed certificate timestamps (SCTs) for inclusion into the log. |
| [ctfe_2022.pub](targets/ctfe_2022.pub) | Certificate Transparency log key for the 2022 log shard (`ctfe.sigstore.dev/2022`), that is used for certificates issued by Fulcio and used to verify signed certificate timestamps (SCTs) for inclusion into the log. |
| [artifact.pub](targets/artifact.pub) | Key that signs Sigstore project (Cosign, Rekor, Fulcio) releases. |
| [fulcio.crt.pem](targets/fulcio.crt.pem) | This is the Fulcio root certificate used with an older instance of Fulcio. We maintain this target to verify old certificates but is no longer used to sign newly issued certificates. |
| [rekor.pub](targets/rekor.pub) | This is the [Rekor](https://github.com/sigstore/rekor) public key used to sign entries and the tree head of the transparency log. You can retrieve the public key to ensure it matches with `curl -H 'Content-Type: application/x-pem-file' https://rekor.sigstore.dev/api/v1/log/publicKey`. |
| [rekor.0.pub](targets/rekor.0.pub) | This is a dupe of `rekor.pub` and will be removed in the next root-signing event. |
| [ctfe.pub](targets/ctfe.pub) | Certificate Transparency log key for the first log shard (`ctfe.sigstore.dev/test`), that is used for certificates issued by Fulcio and used to verify signed certificate timestamps (SCTs) for inclusion into the log. |
| [ctfe_2022.pub](targets/ctfe_2022.pub) | Certificate Transparency log key for the 2022 log shard (`ctfe.sigstore.dev/2022`), that is used for certificates issued by Fulcio and used to verify signed certificate timestamps (SCTs) for inclusion into the log. |
| [artifact.pub](targets/artifact.pub) | Key that signs Sigstore project (Cosign, Rekor, Fulcio) releases. |

* [snapshot.json](repository/repository/snapshot.json): The snapshot ensures consistency of the metadata files. It has a lifetime of 3 weeks and is re-signed by a [GitHub workflow](https://github.com/sigstore/root-signing/blob/main/.github/workflows/stable-snapshot-timestamp.yml).
* [timestamp.json](repository/repository/timestamp.json): The timestamp indicates the freshness of the metadata files. It has a lifetime of 1 week and is re-signed by two GitHub workflows [1](https://github.com/sigstore/root-signing/blob/main/.github/workflows/stable-snapshot-timestamp.yml),
[2](https://github.com/sigstore/root-signing/blob/main/.github/workflows/stable-timestamp.yml).
* [snapshot.json](repository/repository/snapshot.json): The snapshot ensures consistency of the metadata files. It has a lifetime of 3 weeks and is re-signed by a [GitHub workflow](.github/workflows/stable-snapshot-timestamp.yml).
* [timestamp.json](repository/repository/timestamp.json): The timestamp indicates the freshness of the metadata files. It has a lifetime of 1 week and is re-signed by two GitHub workflows [1](.github/workflows/stable-snapshot-timestamp.yml),
[2](.github/workflows/stable-timestamp.yml).

### Root locations
The current root is published on a GCS bucket located at `https://storage.googleapis.com/sigstore-tuf-root`, and is addressable via CDN at `https://tuf-repo-cdn.sigstore.dev`.
Expand All @@ -37,13 +37,13 @@ The pre-production root is published on a GCS bucket located at `https://storage
## Sigstore Root Keyholders

### Current Keyholders
| Keyholder | TUF Key ID | Yubikey Material | Term |
|-----------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------|-------------|
| Joshua Lock | `2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de` (new, v5+) `75e867ab10e121fdef32094af634707f43ddd79c6bab8ad6c5ab9f03f4ea8c90` (deprecated) | [18158855](https://github.com/sigstore/root-signing/tree/main/ceremony/2022-07-12/keys/18158855) | July 2022 - |
| Bob Callaway | `7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b` (new, v5+) `f505595165a177a41750a8e864ed1719b1edfccd5a426fd2c0ffda33ce7ff209` (deprecated) | [15938791](https://github.com/sigstore/root-signing/tree/main/ceremony/2021-06-18/keys/15938791) | June 2021 - |
| Dan Lorenc | `ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c` (new, v5+) `2f64fb5eac0cf94dd39bb45308b98920055e9a0d8e012a7220787834c60aef97` (deprecated) | [13078778](https://github.com/sigstore/root-signing/tree/main/ceremony/2021-06-18/keys/13078778) | June 2021 - |
| Marina Moore | `25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99` (new, v5+) `eaf22372f417dd618a46f6c627dbc276e9fd30a004fc94f9be946e73f8bd090b` (deprecated) | [14470876](https://github.com/sigstore/root-signing/tree/main/ceremony/2021-06-18/keys/14470876) | June 2021 - |
| Santiago Torres-Arias | `f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f` (new, v5+) `f40f32044071a9365505da3d1e3be6561f6f22d0e60cf51df783999f6c3429cb` (deprecated) | [15938765](https://github.com/sigstore/root-signing/tree/main/ceremony/2021-06-18/keys/15938765) | June 2021 - |
| Keyholder | TUF Key ID | Yubikey Material | Term |
|-----------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------|-------------|
| Joshua Lock | `fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f` (v9+) `2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de` (v5-8) `75e867ab10e121fdef32094af634707f43ddd79c6bab8ad6c5ab9f03f4ea8c90` (deprecated) | [18158855](ceremony/2022-07-12/keys/18158855) | July 2022 - |
| Bob Callaway | `e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523` (v9+) `7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b` (v5-8) `f505595165a177a41750a8e864ed1719b1edfccd5a426fd2c0ffda33ce7ff209` (deprecated) | [15938791](ceremony/2021-06-18/keys/15938791) | June 2021 - |
| Dan Lorenc | `3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e` (v9+) `ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c` (v5-8) `2f64fb5eac0cf94dd39bb45308b98920055e9a0d8e012a7220787834c60aef97` (deprecated) | [13078778](ceremony/2021-06-18/keys/13078778) | June 2021 - |
| Marina Moore | `ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e` (v9+) `25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99` (v5-8) `eaf22372f417dd618a46f6c627dbc276e9fd30a004fc94f9be946e73f8bd090b` (deprecated) | [14470876](ceremony/2021-06-18/keys/14470876) | June 2021 - |
| Santiago Torres-Arias | `1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849` (v9+) `f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f` (v5-8) `f40f32044071a9365505da3d1e3be6561f6f22d0e60cf51df783999f6c3429cb` (deprecated) | [15938765](ceremony/2021-06-18/keys/15938765) | June 2021 - |

### Emeritus Keyholders
| Keyholder | TUF Key ID | Yubikey Material | Term |
Expand Down

0 comments on commit 56bc6fd

Please sign in to comment.