From 85540f414d5697315d42448e070be77ecfeef01a Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Tue, 26 Nov 2024 13:23:13 -0800 Subject: [PATCH] Remove doc section about trusted_root.json trusted_root.json is now served by the TUF mirror as of 16ae89aa, no need for the user to create it themself. Signed-off-by: Colleen Murphy --- getting-started.md | 30 ------------------------------ 1 file changed, 30 deletions(-) diff --git a/getting-started.md b/getting-started.md index 5d62bb30d..28bacfda9 100644 --- a/getting-started.md +++ b/getting-started.md @@ -384,33 +384,3 @@ vaikas@villes-mbp scaffolding % echo 'eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdG ``` Notice our predicate is `foobar test attestation` as was in our predicate file. - -## Generating trusted_root.json - -The TUF mirror in this stack does not serve a -[`trusted_root.json`](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_trustroot.proto) -target, but you can generate one to use with certain sigstore clients. - -1. Download and install [trtool](https://github.com/kommendorkapten/trtool). - -2. Use `cosign initialize` as described above to download targets from the TUF - mirror. - -3. Initialize the trusted root with the Fulcio CA: - -``` -./trtool init -ca ~/.sigstore/root/targets/fulcio_v1.crt.pem -ca-uri $FULCIO_URL -ca-start $(date -Iseconds) | jq > tr.1.json -``` - -4. Add the transparency log and certificate transparency log keys: - -``` -./trtool add -f tr.1.json -type ctlog -uri $CTLOG_URL -pem ~/.sigstore/root/targets/ctfe.pub -start $(date -Iseconds) | jq > tr.2.json -./trtool add -f tr.2.json -type tlog -uri $REKOR_URL -pem ~/.sigstore/root/targets/rekor.pub -start $(date -Iseconds) | jq > trusted_root.json -``` - -5. Now the trusted_root.json can be used as input for sigstore clients: - -``` -sigstore-go -trustedrootJSONpath trusted_root.json -tufTrustedRoot root.json -artifact=blob -expectedSAN=https://kubernetes.io/namespaces/default/serviceaccounts/default -expectedIssuer=https://kubernetes.default.svc.cluster.local bundle.json -```