Add ability to handle multiple Fulcio certs in the createctconfig. #292
Labels
enhancement
New feature or request
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
As discussed in sigstore/fulcio#589 we should be able to handle rotation of Fulcio certs properly. This requires being able to add multiple Fulcio certs to be trusted by the CTLog.
I guess you just have to add certs here, currently we just add one.
This is the file that CTLog reads:
https://github.com/sigstore/scaffolding/blob/main/cmd/ctlog/createctconfig/main.go#L127
And here we create the secret containing the Fulcio cert to trust:
https://github.com/sigstore/scaffolding/blob/main/cmd/ctlog/createctconfig/main.go#L196
Which gets mounted here:
https://github.com/sigstore/scaffolding/blob/main/config/ctlog/ctlog/300-ctlog.yaml#L45
So, the tricky bit is that we don't want to just be append only :) So, have to think about how to add enough, but not too many of the certs and TBD how to remove them from here, once old Fulcio's have been turned down.
The text was updated successfully, but these errors were encountered: