embedded TUF root file should be updated

[jku]

It looks like the embedded TUF root metadata that cosign uses comes from this repository: https://github.com/sigstore/sigstore/blob/main/pkg/tuf/repository/root.json
(I'm not super familiar with Go or this code base so please correct if that's not right)

This embedded metadata file doesn't have to match the current published repository, but it would make sense to keep it fairly up-to-date: most network traffic on the sigstore TUF repository seems to be cosign instances downloading old root metadata files. Updating the embedded root would decrease the traffic on the repository and improve the cosign user experience.

I'll be filing another issue to improve the process (so it would be easier to keep this file updated in future) but this bug is just about updating the embeddded root to current one from https://github.com/sigstore/root-signing/tree/main/repository/repository .

(EDIT: "bug" might be the wrong label: nothing is strictly speaking broken)

[bobcallaway]

@asraa @haydentherapper @kommendorkapten

[kommendorkapten]

I can take a look tomorrow morning my time!

[asraa]

I'll be filing another issue to improve the process (so it would be easier to keep this file updated in future) but this bug is just about updating the embeddded root to current one from https://github.com/sigstore/root-signing/tree/main/repository/repository .

I really like the idea on the cross issue you posted about auto-filing issues in clients. We can perhaps add a list of client repositories to a workflow and ask clients who are onboarding to add their repository to that.

[haydentherapper]

+1 to updating this! Originally the thought was that we'd want to use the V1 root, because users could audit that root and check it matches what was publicly signed. Given this would require a manual step anyways, for performance, it's best to just include the latest root, and if a user really wants to check that it chains up to the publicly documented V1 signing, they can do so still.

Also note that the target files should be updated too to include trusted_root.json (even though cosign doesn't use it currently)

[asraa]

Originally the thought was that we'd want to use the V1 root, because users could audit that root and check it matches what was publicly signed.

Yes - but speaking of, most clients (including the Go one now) are incompatible with our V1 root due to specification inconsistencies with the go-tuf repository tooling at the time - so keeping things at latest simplifies that. We should have a chart though that specifies where client compatibility was reached for each client impl.

[haydentherapper]

We should also provide a script to verify a root against V1, handling the incompatibilities. It’ll either need to check out an old version of go-TUF or configure using the hex keys (I don’t recall if that was removed)

[asraa]

We should also provide a script to verify a root against V1, handling the incompatibilities. It’ll either need to check out an old version of go-TUF or configure using the hex keys (I don’t recall if that was removed)

We have a script like that in the root-signing repository.