This directory contains programs needed to verify and generate the key artifacts and the TUF metadata.
- The metadata generation go implementation is located in
cmd/metadata
. - The verification CLI is located in
cmd/verify
.
At the end of the ceremony, new repository metadata will be written to a ceremony/YYYY-MM-DD/repository
directory
and override the current metadata in the repository/
directory.
Before starting the root key ceremony, the community should:
- Designate the 5 root keyholders
- Elect one participant (not necessarily a keyholder) as the conductor
- Identify the targets to sign and update the
targets/
directory (these may include Fulcio's CA certificate, the rekor transparency log key, the CTFE key, and SigStore's artifact signing key)
If you are a keyholder or ceremony conductor, follow instructions KEYHOLDER.md.
If you are a verifier, follow instructions at VERIFIER.md.
Special thanks to Dan Lorenc, Trishank Kuppusamy, Marina Moore, Santiago Torres-Arias, and the whole SigStore community!