You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As discussed in sigstore/fulcio#589 we should be able to handle rotation of Fulcio certs properly. This requires being able to add multiple Fulcio certs to be trusted by the CTLog.
I guess you just have to add certs here, currently we just add one.
So, the tricky bit is that we don't want to just be append only :) So, have to think about how to add enough, but not too many of the certs and TBD how to remove them from here, once old Fulcio's have been turned down.
The text was updated successfully, but these errors were encountered:
Description
As discussed in sigstore/fulcio#589 we should be able to handle rotation of Fulcio certs properly. This requires being able to add multiple Fulcio certs to be trusted by the CTLog.
I guess you just have to add certs here, currently we just add one.
This is the file that CTLog reads:
https://github.com/sigstore/scaffolding/blob/main/cmd/ctlog/createctconfig/main.go#L127
And here we create the secret containing the Fulcio cert to trust:
https://github.com/sigstore/scaffolding/blob/main/cmd/ctlog/createctconfig/main.go#L196
Which gets mounted here:
https://github.com/sigstore/scaffolding/blob/main/config/ctlog/ctlog/300-ctlog.yaml#L45
So, the tricky bit is that we don't want to just be append only :) So, have to think about how to add enough, but not too many of the certs and TBD how to remove them from here, once old Fulcio's have been turned down.
The text was updated successfully, but these errors were encountered: