Open
Description
Description
I would like to support the TrustedRoot JSON format in a simple way for air-gapped environments.
Currently, there are 3 ways to specify the trusted keys in the TrustRoot CRD:
- Remote: Using a root JSON and TUF URL, this will fetch the trusted root via TUF
- Repository: Using a root JSON and serialized TUF filesystem (base64, tarred, gzipped set of files, aka MirrorFS), this allows for air-gapped mode starting from a TUF repository
- SigstoreKeys: This struct provides much of the same functionality of the TrustedRoot JSON, but is missing validity time periods, and requires conversion to the TrustedRoot format as many of the data types are subtly different (for example, certs are represented as DER in TrustedRoot, and PEM in SigstoreKeys)
My proposal is to add a TrustedRootJSON type (either string or []byte) to the CRD that contains the trusted root JSON as defined by the protobuf spec. This would allow for full support of trusted root in the simplest way possible.