10 releases (5 breaking)
| new 0.6.3 | Feb 6, 2026 |
|---|---|
| 0.6.1 | Jan 26, 2026 |
| 0.6.0 | Dec 8, 2025 |
| 0.4.0 | Nov 28, 2025 |
#276 in Cryptography
2,593 downloads per month
Used in 4 crates
(2 directly)
175KB
3K
SLoC
sigstore-trust-root
Sigstore trusted root management and parsing for sigstore-rust.
Overview
This crate handles parsing and management of Sigstore trusted root bundles. The trusted root contains all cryptographic trust anchors needed for verification: Fulcio CA certificates, Rekor public keys, CT log keys, and TSA certificates.
Features
- Trusted root parsing: Load and parse
trusted_root.jsonfiles - Embedded roots: Built-in production and staging trust anchors
- TUF support: Optional secure fetching via The Update Framework (requires
tuffeature) - Key extraction: Extract public keys and certificates for verification
- Validity periods: Time-based key and certificate validity checking
Trust Anchors
| Component | Purpose |
|---|---|
| Certificate Authorities | Fulcio CA certificates for signing certificate validation |
| Transparency Logs | Rekor public keys for log entry verification |
| CT Logs | Certificate Transparency log keys for SCT verification |
| Timestamp Authorities | TSA certificates for RFC 3161 timestamp verification |
Usage
use sigstore_trust_root::TrustedRoot;
// Use embedded production root
let root = TrustedRoot::production()?;
// Load from file
let root = TrustedRoot::from_file("trusted_root.json")?;
// With TUF feature: fetch securely
#[cfg(feature = "tuf")]
let root = TrustedRoot::from_tuf().await?;
Cargo Features
tuf- Enable TUF-based secure fetching of trusted roots
Related Crates
Used by:
sigstore-verify- Provides trust anchors for verificationsigstore-sign- Provides service endpoints
License
BSD-3-Clause
Dependencies
~67–89MB
~2M SLoC