Skip to main content

sigstore_trust_root/
lib.rs

1//! Sigstore trusted root parsing and management
2//!
3//! This crate provides functionality to parse and manage Sigstore trusted root bundles
4//! and signing configuration.
5//!
6//! ## Trusted Root
7//!
8//! The trusted root contains all the trust anchors needed for verification:
9//! - Fulcio certificate authorities (for signing certificates)
10//! - Rekor transparency log public keys (for log entry verification)
11//! - Certificate Transparency log public keys (for CT verification)
12//! - Timestamp authority certificates (for RFC 3161 timestamp verification)
13//!
14//! ## Signing Config
15//!
16//! The signing config specifies service endpoints for signing operations:
17//! - Fulcio CA URLs for certificate issuance
18//! - Rekor transparency log URLs (V1 and V2 endpoints)
19//! - TSA URLs for RFC 3161 timestamp requests
20//! - OIDC provider URLs for authentication
21//!
22//! # Features
23//!
24//! - `tuf` - Enable TUF (The Update Framework) support for securely fetching
25//!   trusted roots from Sigstore's TUF repository. This adds async methods
26//!   like [`TrustedRoot::from_tuf()`] and [`TrustedRoot::from_tuf_staging()`].
27//!
28//! # Example
29//!
30//! ```no_run
31//! use sigstore_trust_root::{TrustedRoot, SigningConfig};
32//!
33//! // Load embedded production trusted root
34//! let root = TrustedRoot::production().unwrap();
35//!
36//! // Load embedded production signing config
37//! let config = SigningConfig::production().unwrap();
38//!
39//! // Get the best Rekor endpoint (highest available version)
40//! if let Some(rekor) = config.get_rekor_url(None) {
41//!     println!("Rekor URL: {} (v{})", rekor.url, rekor.major_api_version);
42//! }
43//! ```
44//!
45//! With the `tuf` feature enabled:
46//!
47//! ```ignore
48//! use sigstore_trust_root::{TrustedRoot, SigningConfig};
49//!
50//! // Fetch via TUF protocol (secure, up-to-date)
51//! let root = TrustedRoot::from_tuf().await?;
52//! let config = SigningConfig::from_tuf().await?;
53//! ```
54
55pub mod error;
56pub mod signing_config;
57pub mod trusted_root;
58
59#[cfg(feature = "tuf")]
60pub mod tuf;
61
62pub use error::{Error, Result};
63pub use signing_config::{
64    ServiceConfiguration, ServiceEndpoint, ServiceSelector, ServiceValidityPeriod, SigningConfig,
65    SIGNING_CONFIG_MEDIA_TYPE, SIGSTORE_PRODUCTION_SIGNING_CONFIG, SIGSTORE_STAGING_SIGNING_CONFIG,
66    SUPPORTED_FULCIO_VERSIONS, SUPPORTED_REKOR_VERSIONS, SUPPORTED_TSA_VERSIONS,
67};
68pub use trusted_root::{
69    CertificateAuthority, CertificateTransparencyLog, TimestampAuthority, TransparencyLog,
70    TrustedRoot, ValidityPeriod, SIGSTORE_PRODUCTION_TRUSTED_ROOT, SIGSTORE_STAGING_TRUSTED_ROOT,
71};
72
73#[cfg(feature = "tuf")]
74pub use tuf::{
75    TufConfig, DEFAULT_TUF_URL, PRODUCTION_TUF_ROOT, SIGNING_CONFIG_TARGET, STAGING_TUF_ROOT,
76    STAGING_TUF_URL, TRUSTED_ROOT_TARGET,
77};