Replace ct_server with TesseraCT in setup #1793
Conversation
cmurphy
force-pushed
the
tesseract
branch
4 times, most recently
from
14a0cb0 to
edb6df6
Compare
cmurphy
force-pushed
the
tesseract
branch
2 times, most recently
from
79defa5 to
7b77112
Compare
|
This is now based on #1834 so that the Fulcio certs are generated externally and shared out of band between Fulcio and CT instead of relying on Fulcio's |
cmurphy
force-pushed
the
tesseract
branch
2 times, most recently
from
0305629 to
f91e284
Compare
haydentherapper
left a comment
haydentherapper
left a comment
There was a problem hiding this comment.
Can we leave a TODO or warning in the README that the ctlog section is now out of date?
There was a problem hiding this comment.
Is this test still meaningful or can we just remove it? Testing that the CT log supports rotating trusted roots is testing the functionality of the CT server rather than the scaffolding setup. Also, now that we're recommending a manual process of applying a secret, we don't need to test that our custom jobs or scripts work.
Also means we can remove the verifyfulcio script
There was a problem hiding this comment.
Yeah I don't think it's really meaningful, I'd love to remove it.
I went ahead and updated it. |
haydentherapper
left a comment
haydentherapper
left a comment
There was a problem hiding this comment.
Looks great, love seeing a PR with lots of red! Up to you if you want to merge the other PR first and rebase or rebase this PR onto main.
In the setup scaffolding workflow, update Fulcio to use the Static CT log TesseraCT instead of the Trillian-based ct_server. This change avoids retrieving the Fulcio roots from the rootCert endpoint, instead favoring using the known externally generated root, which closer simulates the mechanism for distributing key material out of band via TUF. This means the createctconfig job is not needed for this CT log. The createtree job is also no longer needed because there is no Trillian tree to manage. Signed-off-by: Colleen Murphy <[email protected]>
2 participants
In the setup scaffolding workflow, update Fulcio to use the Static CT
log TesseraCT instead of the Trillian-based ct_server.
This change avoids retrieving the Fulcio roots from the rootCert
endpoint, instead favoring using the known externally generated root,
which closer simulates the mechanism for distributing key material out
of band via TUF. This means the createctconfig job is not needed for
this CT log. The createtree job is also no longer needed because there
is no Trillian tree to manage.
Relates to sigstore/rekor-tiles#73
Summary
Release Note
Documentation