Expand description
Sigstore trusted root parsing and management
This crate provides functionality to parse and manage Sigstore trusted root bundles and signing configuration.
§Trusted Root
The trusted root contains all the trust anchors needed for verification:
- Fulcio certificate authorities (for signing certificates)
- Rekor transparency log public keys (for log entry verification)
- Certificate Transparency log public keys (for CT verification)
- Timestamp authority certificates (for RFC 3161 timestamp verification)
§Signing Config
The signing config specifies service endpoints for signing operations:
- Fulcio CA URLs for certificate issuance
- Rekor transparency log URLs (V1 and V2 endpoints)
- TSA URLs for RFC 3161 timestamp requests
- OIDC provider URLs for authentication
§Features
tuf- Enable TUF (The Update Framework) support for securely fetching trusted roots from Sigstore’s TUF repository. This adds async methods like [TrustedRoot::from_tuf()] and [TrustedRoot::from_tuf_staging()].
§Example
use sigstore_trust_root::{TrustedRoot, SigningConfig};
// Load embedded production trusted root
let root = TrustedRoot::production().unwrap();
// Load embedded production signing config
let config = SigningConfig::production().unwrap();
// Get the best Rekor endpoint (highest available version)
if let Some(rekor) = config.get_rekor_url(None) {
println!("Rekor URL: {} (v{})", rekor.url, rekor.major_api_version);
}With the tuf feature enabled:
ⓘ
use sigstore_trust_root::{TrustedRoot, SigningConfig};
// Fetch via TUF protocol (secure, up-to-date)
let root = TrustedRoot::from_tuf().await?;
let config = SigningConfig::from_tuf().await?;Re-exports§
pub use error::Error;pub use error::Result;pub use signing_config::ServiceConfiguration;pub use signing_config::ServiceEndpoint;pub use signing_config::ServiceSelector;pub use signing_config::ServiceValidityPeriod;pub use signing_config::SigningConfig;pub use signing_config::SIGNING_CONFIG_MEDIA_TYPE;pub use signing_config::SIGSTORE_PRODUCTION_SIGNING_CONFIG;pub use signing_config::SIGSTORE_STAGING_SIGNING_CONFIG;pub use signing_config::SUPPORTED_FULCIO_VERSIONS;pub use signing_config::SUPPORTED_REKOR_VERSIONS;pub use signing_config::SUPPORTED_TSA_VERSIONS;pub use trusted_root::CertificateAuthority;pub use trusted_root::CertificateTransparencyLog;pub use trusted_root::TimestampAuthority;pub use trusted_root::TransparencyLog;pub use trusted_root::TrustedRoot;pub use trusted_root::ValidityPeriod;pub use trusted_root::SIGSTORE_PRODUCTION_TRUSTED_ROOT;pub use trusted_root::SIGSTORE_STAGING_TRUSTED_ROOT;
Modules§
- error
- Error types for trusted root operations
- signing_
config - Signing configuration for Sigstore instances
- trusted_
root - Trusted root types and parsing