trust

package
v0.13.0-rc3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 14, 2026 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Overview

Package trust manages Sigstore trusted root material for offline attestation verification.

Trusted Root Resolution

The trusted root (trusted_root.json) contains Fulcio CA certificates and Rekor public keys needed to verify Sigstore attestation bundles. Resolution follows three layers in priority order:

  1. Local cache (~/.sigstore/root/) — written by Update(), read by GetTrustedMaterial() with ForceCache. No network access.
  2. Embedded TUF root — compiled into the binary via sigstore-go's //go:embed directive. Used to bootstrap the TUF update chain when no local cache exists. Updated when the sigstore-go dependency is updated.
  3. TUF update — Update() contacts the Sigstore TUF CDN (tuf-repo-cdn.sigstore.dev), verifies the update chain cryptographically from the embedded root, and writes the latest trusted_root.json to the local cache.

Verification (GetTrustedMaterial) is always fully offline. Trust material is updated only when the user explicitly runs "aicr trust update".

Key Rotation

Sigstore rotates keys a few times per year. When rotation causes verification to fail (signing certificate chains to a CA not in the local root), the verifier detects this and surfaces an actionable error directing the user to run "aicr trust update".

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetTrustedMaterial 

func GetTrustedMaterial() (root.TrustedMaterial, error)

GetTrustedMaterial returns Sigstore trusted material for offline verification. Uses the sigstore-go TUF client with ForceCache to avoid network calls. Falls back to the embedded TUF root if no cache exists.

func Update 

func Update(ctx context.Context) (root.TrustedMaterial, error)

Update fetches the latest Sigstore trusted root via TUF CDN and updates the local cache. Bounded by defaults.TUFUpdateTimeout (longer than a single-request HTTPClientTimeout because TUF refreshes download multiple metadata files from a CDN).

Known limitation: the underlying tuf.New / client.Refresh calls do not accept context, so on ctx.Done() we return an error but the goroutine continues running in the background until the network operation completes naturally. This is acceptable for the CLI-only call sites today (the goroutine is reaped on process exit). If callers from a long-running daemon are added, switch to a TUF client that supports context cancellation.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.