Sigstore Announcement: New TUF Trust Root and Client Compatibility

New TUF Trust Root

We are planning to publish a new TUF trust root for Sigstore. This update does not contain any functional changes, but it does update to the latest version of the TUF specification. This means that older clients may not be able to load it properly. The current compatibility is as follows:

  • Cosign
    • Releases >= v2.2.0 (v2.2.0 released Aug 31st 2023) work. Older Cosign clients (< v2.2.0) will not work
    • v1.x will not work, though we are backporting support with an upcoming v1.13.3 release. We strongly encourage updating to Cosign v2 for the latest bug and security fixes
  • sigstore-js: no known issues
  • sigstore-python: no known issues
  • sigstore-java: no known issues
  • sigstore-rust: the TUF client it uses does not support the latest TUF spec. See this issue for more information. We are actively working on fixing this.

The updated TUF trust root will be deployed within the next week.

Do I need to do anything?

If you’re using one of the compatible clients, the update will happen seamlessly when you sign or verify, as new TUF metadata is automatically fetched and verified.

If you’re using Cosign v1.x, please update to Cosign v2 or download the upcoming v1.13.3 release. If you’re using the Rust client, we’ll have a fix out shortly.

How to reach out?

If you have any concerns, please let us know. You can reach out on Slack on #sigstore-keyholders.