sigstore-trust-root 0.6.4

Sigstore trusted root management and parsing
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

# sigstore-trust-root

Sigstore trusted root management and parsing for [sigstore-rust](https://github.com/sigstore/sigstore-rust).

## Overview

This crate handles parsing and management of Sigstore trusted root bundles. The trusted root contains all cryptographic trust anchors needed for verification: Fulcio CA certificates, Rekor public keys, CT log keys, and TSA certificates.

## Features

- **Trusted root parsing**: Load and parse `trusted_root.json` files
- **Embedded roots**: Built-in production and staging trust anchors
- **TUF support**: Optional secure fetching via The Update Framework (requires `tuf` feature)
- **Key extraction**: Extract public keys and certificates for verification
- **Validity periods**: Time-based key and certificate validity checking

## Trust Anchors

| Component | Purpose |
|-----------|---------|
| Certificate Authorities | Fulcio CA certificates for signing certificate validation |
| Transparency Logs | Rekor public keys for log entry verification |
| CT Logs | Certificate Transparency log keys for SCT verification |
| Timestamp Authorities | TSA certificates for RFC 3161 timestamp verification |

## Usage

```rust
use sigstore_trust_root::TrustedRoot;

// Use embedded production root
let root = TrustedRoot::production()?;

// Load from file
let root = TrustedRoot::from_file("trusted_root.json")?;

// With TUF feature: fetch securely
#[cfg(feature = "tuf")]
let root = TrustedRoot::from_tuf().await?;
```

## Cargo Features

- `tuf` - Enable TUF-based secure fetching of trusted roots

## Related Crates

Used by:

- [`sigstore-verify`](../sigstore-verify) - Provides trust anchors for verification
- [`sigstore-sign`](../sigstore-sign) - Provides service endpoints

## License

BSD-3-Clause