Documentation
¶
Overview ¶
Package trust manages Sigstore trusted root material for offline attestation verification.
Trusted Root Resolution ¶
The trusted root (trusted_root.json) contains Fulcio CA certificates and Rekor public keys needed to verify Sigstore attestation bundles. Resolution follows three layers in priority order:
- Local cache (~/.sigstore/root/) — written by Update(), read by GetTrustedMaterial() with ForceCache. No network access.
- Embedded TUF root — compiled into the binary via sigstore-go's //go:embed directive. Used to bootstrap the TUF update chain when no local cache exists. Updated when the sigstore-go dependency is updated.
- TUF update — Update() contacts the Sigstore TUF CDN (tuf-repo-cdn.sigstore.dev), verifies the update chain cryptographically from the embedded root, and writes the latest trusted_root.json to the local cache.
Verification (GetTrustedMaterial) is always fully offline. Trust material is updated only when the user explicitly runs "aicr trust update".
Key Rotation ¶
Sigstore rotates keys a few times per year. When rotation causes verification to fail (signing certificate chains to a CA not in the local root), the verifier detects this and surfaces an actionable error directing the user to run "aicr trust update".
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetTrustedMaterial ¶
func GetTrustedMaterial() (root.TrustedMaterial, error)
GetTrustedMaterial returns Sigstore trusted material for offline verification. Uses the sigstore-go TUF client with ForceCache to avoid network calls. Falls back to the embedded TUF root if no cache exists.
Types ¶
This section is empty.
Source Files