Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for TrustedRoot in air-gapped environments #1704

Open
codysoyland opened this issue Nov 15, 2024 · 0 comments · May be fixed by #1705
Open

Add support for TrustedRoot in air-gapped environments #1704

codysoyland opened this issue Nov 15, 2024 · 0 comments · May be fixed by #1705
Labels
enhancement New feature or request

Comments

@codysoyland
Copy link
Member

Description

I would like to support the TrustedRoot JSON format in a simple way for air-gapped environments.

Currently, there are 3 ways to specify the trusted keys in the TrustRoot CRD:

  • Remote: Using a root JSON and TUF URL, this will fetch the trusted root via TUF
  • Repository: Using a root JSON and serialized TUF filesystem (base64, tarred, gzipped set of files, aka MirrorFS), this allows for air-gapped mode starting from a TUF repository
  • SigstoreKeys: This struct provides much of the same functionality of the TrustedRoot JSON, but is missing validity time periods, and requires conversion to the TrustedRoot format as many of the data types are subtly different (for example, certs are represented as DER in TrustedRoot, and PEM in SigstoreKeys)

My proposal is to add a TrustedRootJSON type (either string or []byte) to the CRD that contains the trusted root JSON as defined by the protobuf spec. This would allow for full support of trusted root in the simplest way possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant