You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
rekor v2 is already in trusted root (so verifying clients will trust rekor 2 signatures)
Originally plan was to enable rekor v2 signing now, but this has been pushed forward to wait a decision on possible PQC changes (that would be another set of potentially breaking changes)
Plan now is to still to enable rekor v2 signing by default later -- but to also make it possible for specific users to use rekor v2 without hard coding URLs
Proposal
Add a completely new TUF artifact, a slightly modified signing config that includes rekor v2
The artifact is not used by any client at this point so risks to the signing event should be minimal
After publishing, sigstore client applications that want to use rekor 2 can now do so without hard coding URLs -- the advice is is that by default generic clients should not do so at this point but specific ecosystems (such as those signing very large blobs) may benefit from it
In practice, this could mean a new API addition in a generic sigstore library (use_rekor2=True), or a custom sigstore signing application could implement their own TUF update for this artifact
Effects on root-signing
This means we now "ship" two signing configs: both are now part of the root-signing "API" and must be kept in sync in the future (the files will become identical at some point though, making this easier)
Keyholders now have a bit more to review
More documentation is now needed: it's not obvious what all of the artifacts are from just looking at the directory
Background
Proposal
use_rekor2=True), or a custom sigstore signing application could implement their own TUF update for this artifactEffects on root-signing