2026-05-24
TPM CA Certificates 2026-05-24
What's Changed
| Certificate | Type | Vendor | Action |
|---|---|---|---|
| EK/AK CA Intermediate | Intermediate | GOOG | ADD |
| EK/AK CA Root | Root | GOOG | ADD |
| Nations TPM ECC EK CA 001 | Intermediate | NTZ | ADD |
| Nations TPM ECC EK CA 002 | Intermediate | NTZ | ADD |
| Nations TPM ECC EK CA 003 | Intermediate | NTZ | ADD |
| Nations TPM ECC EK CA 004 | Intermediate | NTZ | ADD |
| Nations TPM ECC EK CA 005 | Intermediate | NTZ | ADD |
| Nations TPM RSA EK CA 001 | Intermediate | NTZ | ADD |
| Nations TPM RSA EK CA 002 | Intermediate | NTZ | ADD |
| Nations TPM RSA EK CA 003 | Intermediate | NTZ | ADD |
| Nations TPM RSA EK CA 004 | Intermediate | NTZ | ADD |
| Nations TPM RSA EK CA 005 | Intermediate | NTZ | ADD |
| Nations TPM ECC ROOT CA 001 | Root | NTZ | ADD |
| Nations TPM RSA ROOT CA 001 | Root | NTZ | ADD |
This release contains the TPM CA Certificates generated at commit 3b6110aa4b2009a67ea32916897b0255001f340a.
Artifacts
tpm-ca-certificates.pem- The TPM trust bundletpm-intermediate-ca-certificates.pem- The TPM intermediate trust bundlechecksums.txt- SHA-256 checksumchecksums.txt.sigstore.json- Sigstore signature bundle for checksum verification
Verification
Important
If you are not familiar with the concepts around software supply chain security,
(eg. build provenance attestation, keyless signature, etc.), please read the following resources first:
Option 1: tpmtb CLI
Note
The following commands verify the integrity and provenance of each bundle artifact.
tpmtb is able to verify Github attestation signatures and Cosign keyless signatures natively (no need to install Cosign or gh).
Tip
Make sure to use tpmtb >= v0.11.2.
tpmtb bundle verify tpm-ca-certificates.pem
tpmtb bundle verify tpm-intermediate-ca-certificates.pem --type intermediateOption 2: Cosign and GitHub CLI
The following process does the same thing as option 1:
Step 1: Verify Integrity with Cosign
First, verify the integrity of the checksums file using Cosign:
Tip
Make sure to use cosign >= v2.4.3 to support the Sigstore bundle format.
# Verify the checksums signature
cosign verify-blob \
--bundle checksums.txt.sigstore.json \
--certificate-identity-regexp 'https://github.com/loicsikidi/tpm-ca-certificates/.github/workflows/release-bundle.yaml@refs/tags/2026-05-24' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
checksums.txt
# Verify the bundle matches the checksum
sha256sum -c checksums.txtStep 2: Verify Provenance with GitHub CLI
Once the checksum integrity is established, verify the provenance using GitHub's attestation system:
gh attestation verify tpm-ca-certificates.pem --repo loicsikidi/tpm-ca-certificates
gh attestation verify tpm-intermediate-ca-certificates.pem --repo loicsikidi/tpm-ca-certificatesOption 3: Reproducibility
Warning
This method only verifies the integrity of each bundle.
To be fully secure it MUST be used in addition with gh attestation verify to validate provenance.
git clone https://github.com/loicsikidi/tpm-ca-certificates
cd tpm-ca-certificates
git checkout 2026-05-24
go run ./ bundle generate --workers 10 --config .tpm-roots.yaml --output tpm-ca-certificates.pem
go run ./ bundle generate --workers 10 --config .tpm-intermediates.yaml --output tpm-intermediate-ca-certificates.pem --type intermediate
sha256sum tpm-ca-certificates.pem tpm-intermediate-ca-certificates.pem # Compare with checksums.txtChangelog
- 3b6110a: rot(GOOG): add support to GCP #111 (#181) (@loicsikidi)
- 01dc641: rot(NTZ): add 2 roots and 10 intermediates (#180) (@loicsikidi)
Generated with GoReleaser 🚀
