Releases · loicsikidi/tpm-ca-certificates

25 Feb 19:58

github-actions

v0.7.0

1938eb7

v0.7.0 Latest

Latest

tpm-ca-certificates v0.7.0

What's Changed

This release contains the tpmtb binary and OCI images built from commit 1938eb7846fa712078092d845405e7f063edffff.

Artifacts

tpmtb_$VERSION_$OS_$ARCH.$EXTENSION - CLI binaries for various platforms (stored in archives)
tpmtb_$VERSION_$OS_$ARCH.$EXTENSION.sbom.json - SBOMs for the binaries in SPDX format
checksums.txt - SHA-256 checksums of all artifacts
checksums.txt.sigstore.json - Sigstore signature bundle for checksum verification

OCI Images

docker pull ghcr.io/loicsikidi/tpm-ca-certificates/tpmtb:v0.7.0
docker pull ghcr.io/loicsikidi/tpm-ca-certificates/tpmtb:latest

Verification

Important

If you are not familiar with the concepts around software supply chain security,
(eg. build provenance attestation, keyless signature, etc.), please read the following resources first:

1. Artefacts with Cosign and GitHub CLI

For complete security verification, follow this two-step process:

Step 1: Verify Integrity with Cosign

First, verify the integrity of the checksums file using Cosign:

Tip

Make sure to use cosign >= v2.4.3 to support the Sigstore bundle format.

# Verify the checksums signature
cosign verify-blob \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp 'https://github.com/loicsikidi/tpm-ca-certificates/.github/workflows/release.yaml@refs/tags/v0.7.0' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  checksums.txt

# Verify any artifact matches the checksum
sha256sum -c checksums.txt

Step 2: Verify Provenance with GitHub CLI

Once the checksum integrity is established, verify the provenance using GitHub's attestation system:

# Verify the archive
gh attestation verify tpmtb_0.7.0_linux_amd64.tar.gz --repo loicsikidi/tpm-ca-certificates

2. OCI Provenance

gh attestation verify oci://ghcr.io/loicsikidi/tpm-ca-certificates/tpmtb:v0.7.0 --repo loicsikidi/tpm-ca-certificates

Changelog

8f4baa3: fix(api): inherit filter logic in Contains fn (#81) (@loicsikidi)
7cc9932: fix(api): disable verify should dl int bundle(#83)(@loicsikidi)
1203474: fix(cache): avoid creating empty file (#85)(@loicsikidi)
669c34f: feat(api): add support to MSFT in vendor list (#89)(@loicsikidi)
3581fb4: feat: init basic tracing #87 (#102)(@loicsikidi)
bd864a4: perf: reduce latency on apiv1beta.GetTrustedBundle (#103)(@loicsikidi)
6977901: refactor: clean shitty code (#104)(@loicsikidi)
70116aa: perf: improve GetDefaultTUFOptions logic (#108)(@loicsikidi)
a758a94: secu(deps): fix vuln issue in go-tuf and rekor (#112)(@loicsikidi)
1938eb7: ci: fix linting issues from staticheck (#117) (@loicsikidi)
b190510: perf: add parallelization to some tests (#115) (@loicsikidi)
80b3352: vuln(deps): bump otel to avoid GO-2026-4394 (#116) (@loicsikidi)

Generated with GoReleaser 🚀

Contributors

loicsikidi

Assets 16

checksums.txt

sha256:ae6fc8010362f01f88e730d102757d2259c363ad20f021dd4d2c23e6bed88fae

1.2 KB 2026-02-25T19:43:23Z
checksums.txt.sigstore.json

sha256:0e077bb6f3e981a7b73a18d2e6e5194556fe6de3b0e55b7b723169457de081b5

10 KB 2026-02-25T19:43:23Z
tpmtb_0.7.0_darwin_amd64.tar.gz

sha256:3a05b6886fb51c20b880e7848dd3adac245b49da773c41237a7cb4f39eae6f54

7.46 MB 2026-02-25T19:43:21Z
tpmtb_0.7.0_darwin_amd64.tar.gz.sbom.json

sha256:201501a5ee1fe8c549667d5e4854b12713a0cb314222bca28247f3fd189fb5e3

130 KB 2026-02-25T19:43:23Z
tpmtb_0.7.0_darwin_arm64.tar.gz

sha256:0943501aaeb1741029dc40bd285219a578ea11ef0f4a2bc0736322146eeb8817

6.96 MB 2026-02-25T19:43:21Z
tpmtb_0.7.0_darwin_arm64.tar.gz.sbom.json

sha256:97a97a7c58192166bb56419fb3ce845d15f5a63049a7bca39a0b29ddd31ca3f0

130 KB 2026-02-25T19:43:22Z
tpmtb_0.7.0_linux_amd64.tar.gz

sha256:64fd42c30955030602265f4808ad1d320e1ba20522efda636103fa751d6d334c

7.27 MB 2026-02-25T19:43:21Z
tpmtb_0.7.0_linux_amd64.tar.gz.sbom.json

sha256:16b16593615ccc4b4c291b4c133fe72a1b26f7fef9d907aaf48c953005ae36e9

130 KB 2026-02-25T19:43:23Z
tpmtb_0.7.0_linux_arm64.tar.gz

sha256:87fc0ab8aa0fd1dde6d8dbad6b1383cb843cb1decae0f08ab3fc9a0a34499ad1

6.62 MB 2026-02-25T19:43:21Z
tpmtb_0.7.0_linux_arm64.tar.gz.sbom.json

sha256:886235d9ebb5965956f3ba24a380c8257c1c3f45f93288c625ffd82c0ec96b75

130 KB 2026-02-25T19:43:22Z
Source code (zip)

2026-02-23T22:49:10Z
Source code (tar.gz)

2026-02-23T22:49:10Z

04 Feb 21:11

github-actions

2026-02-04

ce51e4f

2026-02-04

TPM CA Certificates 2026-02-04

What's Changed

This release contains the TPM CA Certificates generated at commit ce51e4f148b35c361a8c23abafcfc1a5441875d2.

Artifacts

tpm-ca-certificates.pem - The TPM trust bundle
tpm-intermediate-ca-certificates.pem - The TPM intermediate trust bundle
checksums.txt - SHA-256 checksum
checksums.txt.sigstore.json - Sigstore signature bundle for checksum verification

Verification

Important

If you are not familiar with the concepts around software supply chain security,
(eg. build provenance attestation, keyless signature, etc.), please read the following resources first:

Option 1: tpmtb CLI

Note

The following commands verify the integrity and provenance of each bundle artifact.

tpmtb is able to verify Github attestation signatures and Cosign keyless signatures natively (no need to install Cosign or gh).

Tip

Make sure to use tpmtb >= v0.5.0 to support intermediate bundle verification.

tpmtb bundle verify tpm-ca-certificates.pem
tpmtb bundle verify tpm-intermediate-ca-certificates.pem --type intermediate

Option 2: Cosign and GitHub CLI

The following process does the same thing as option 1:

Step 1: Verify Integrity with Cosign

First, verify the integrity of the checksums file using Cosign:

Tip

Make sure to use cosign >= v2.4.3 to support the Sigstore bundle format.

# Verify the checksums signature
cosign verify-blob \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp 'https://github.com/loicsikidi/tpm-ca-certificates/.github/workflows/release-bundle.yaml@refs/tags/2026-02-04' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  checksums.txt

# Verify the bundle matches the checksum
sha256sum -c checksums.txt

Step 2: Verify Provenance with GitHub CLI

Once the checksum integrity is established, verify the provenance using GitHub's attestation system:

gh attestation verify tpm-ca-certificates.pem --repo loicsikidi/tpm-ca-certificates
gh attestation verify tpm-intermediate-ca-certificates.pem --repo loicsikidi/tpm-ca-certificates

Option 3: Reproducibility

Warning

This method only verifies the integrity of each bundle.
To be fully secure it MUST be used in addition with gh attestation verify to validate provenance.

git clone https://github.com/loicsikidi/tpm-ca-certificates
cd tpm-ca-certificates
git checkout 2026-02-04
go run ./ generate --workers 10 --output tpm-ca-certificates.pem
go run ./ generate --workers 10 --config .tpm-intermediates.yaml --output tpm-intermediate-ca-certificates.pem --type intermediate
sha256sum tpm-ca-certificates.pem  # Compare with checksums.txt

Changelog

Certificate	Type	Vendor	Action
ODCA CA2 CSME	Intermediate	INTC	ADD
ODCA CA2 OSSE	Intermediate	INTC	ADD
NSING TPM ECC EK CA 001	Intermediate	NSG	ADD
NSING TPM ECC EK CA 002	Intermediate	NSG	ADD
NSING TPM ECC EK CA 003	Intermediate	NSG	ADD
NSING TPM ECC EK CA 004	Intermediate	NSG	ADD
NSING TPM ECC EK CA 005	Intermediate	NSG	ADD
NSING TPM RSA EK CA 001	Intermediate	NSG	ADD
NSING TPM RSA EK CA 002	Intermediate	NSG	ADD
NSING TPM RSA EK CA 003	Intermediate	NSG	ADD
NSING TPM RSA EK CA 004	Intermediate	NSG	ADD
NSING TPM RSA EK CA 005	Intermediate	NSG	ADD
NSING TPM ECC ROOT CA 001	Root	NSG	ADD
NSING TPM RSA ROOT CA 001	Root	NSG	ADD

e8ce5e3: rot(INTC): add 2 more certificates (#105) (@loicsikidi)
cefc030: rot(NSG): add 12 new certs (#106) (@loicsikidi)

Generated with GoReleaser 🚀

Contributors

loicsikidi

Assets 6

22 Jan 20:34

github-actions

2026-01-22

0cdc7f7

2026-01-22

TPM CA Certificates 2026-01-22

What's Changed

This release contains the TPM CA Certificates generated at commit 0cdc7f7577f77f2b2a127ad83562bbd8dceabe5d.

Artifacts

tpm-ca-certificates.pem - The TPM trust bundle
tpm-intermediate-ca-certificates.pem - The TPM intermediate trust bundle
checksums.txt - SHA-256 checksum
checksums.txt.sigstore.json - Sigstore signature bundle for checksum verification

Verification

Important

If you are not familiar with the concepts around software supply chain security,
(eg. build provenance attestation, keyless signature, etc.), please read the following resources first:

Option 1: tpmtb CLI

Note

The following commands verify the integrity and provenance of each bundle artifact.

tpmtb is able to verify Github attestation signatures and Cosign keyless signatures natively (no need to install Cosign or gh).

Tip

Make sure to use tpmtb >= v0.5.0 to support intermediate bundle verification.

tpmtb bundle verify tpm-ca-certificates.pem
tpmtb bundle verify tpm-intermediate-ca-certificates.pem --type intermediate

Option 2: Cosign and GitHub CLI

The following process does the same thing as option 1:

Step 1: Verify Integrity with Cosign

First, verify the integrity of the checksums file using Cosign:

Tip

Make sure to use cosign >= v2.4.3 to support the Sigstore bundle format.

# Verify the checksums signature
cosign verify-blob \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp 'https://github.com/loicsikidi/tpm-ca-certificates/.github/workflows/release-bundle.yaml@refs/tags/2026-01-22' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  checksums.txt

# Verify the bundle matches the checksum
sha256sum -c checksums.txt

Step 2: Verify Provenance with GitHub CLI

Once the checksum integrity is established, verify the provenance using GitHub's attestation system:

gh attestation verify tpm-ca-certificates.pem --repo loicsikidi/tpm-ca-certificates
gh attestation verify tpm-intermediate-ca-certificates.pem --repo loicsikidi/tpm-ca-certificates

Option 3: Reproducibility

Warning

This method only verifies the integrity of each bundle.
To be fully secure it MUST be used in addition with gh attestation verify to validate provenance.

git clone https://github.com/loicsikidi/tpm-ca-certificates
cd tpm-ca-certificates
git checkout 2026-01-22
go run ./ generate --workers 10 --output tpm-ca-certificates.pem
go run ./ generate --workers 10 --config .tpm-intermediates.yaml --output tpm-intermediate-ca-certificates.pem --type intermediate
sha256sum tpm-ca-certificates.pem  # Compare with checksums.txt

Changelog

Certificate	Type	Vendor	Action
AMD Pluton Per-Product Factory FIPS EK ICA DFID00B20F00	Intermediate	AMD	ADD
AMD Pluton Per-Product Factory FIPS EK ICA DFID00B20F40	Intermediate	AMD	ADD
AMD Pluton Per-Product Factory FIPS EK ICA DFID00B60F00	Intermediate	AMD	ADD
AMD Pluton Per-Product Factory FIPS EK ICA DFID00B60F80	Intermediate	AMD	ADD
AMD Pluton Per-Product Factory FIPS EK ICA DFID00B70F00	Intermediate	AMD	ADD
AMD Pluton Per-Product Factory NON-FIPS EK ICA DFID00B20F00	Intermediate	AMD	ADD
AMD Pluton Per-Product Factory NON-FIPS EK ICA DFID00B20F40	Intermediate	AMD	ADD
AMD Pluton Per-Product Factory NON-FIPS EK ICA DFID00B60F00	Intermediate	AMD	ADD
AMD Pluton Per-Product Factory NON-FIPS EK ICA DFID00B60F80	Intermediate	AMD	ADD
AMD Pluton Per-Product Factory NON-FIPS EK ICA DFID00B70F00	Intermediate	AMD	ADD
Pluton Factory DEVICE EK ICA DFID0001	Intermediate	AMD	ADD
Pluton Factory DEVICE EK ICA DFID008A0F00	Intermediate	AMD	ADD
Pluton Factory DEVICE EK ICA DFID00A60F11	Intermediate	AMD	ADD
Pluton Factory FIPS EK ICA DFID0001	Intermediate	AMD	ADD
Pluton Factory FIPS EK ICA DFID008A0F00	Intermediate	AMD	ADD
Pluton Factory FIPS EK ICA DFID00A60F11	Intermediate	AMD	ADD
AMD Pluton Global Factory ICA	Root	AMD	ADD
AMDTPM ECC	Root	AMD	ADD
AMDTPM RSA	Root	AMD	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 079	Intermediate	IFX	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 080	Intermediate	IFX	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 081	Intermediate	IFX	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 082	Intermediate	IFX	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 083	Intermediate	IFX	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 084	Intermediate	IFX	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 085	Intermediate	IFX	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 086	Intermediate	IFX	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 087	Intermediate	IFX	ADD
Infineon OPTIGA(TM) TPM 2.0 RSA CA 079	Intermediate	IFX	ADD
Infineon OPTIGA(TM) TPM 2.0 RSA CA 080	Intermediate	IFX	ADD
Infineon OPTIGA(TM) TPM 2.0 RSA CA 081	Intermediate	IFX	ADD
Infineon OPTIGA(TM) TPM 2.0 RSA CA 082	Intermediate	IFX	ADD
Infineon OPTIGA(TM) TPM 2.0 RSA CA 083	Intermediate	IFX	ADD
Infineon OPTIGA(TM) TPM 2.0 RSA CA 084	Intermediate	IFX	ADD
Infineon OPTIGA(TM) TPM 2.0 RSA CA 085	Intermediate	IFX	ADD
Infineon OPTIGA(TM) TPM 2.0 RSA CA 086	Intermediate	IFX	ADD
Infineon OPTIGA(TM) TPM 2.0 RSA CA 087	Intermediate	IFX	ADD
Infineon OPTIGA(TM) ECC Root CA	Root	IFX	UPDATE URL
Microsoft Pluton Policy CA A	Intermediate	MSFT	ADD
Microsoft Pluton Root CA 2021	Root	MSFT	ADD

0cdc7f7: rot(AMD): add 16 intermediate certs (#97) (@loicsikidi)
1f0049c: rot(AMD): add 3 new root certificates (#94) (@loicsikidi)
0446a46: rot(IFX): add 18 intermediate certificates (#92) (@loicsikidi)
8ca5722: rot(IFX): migrate ECC Root CA to pki URL (#98) (@loicsikidi)
4561e60: rot(MSFT): add 2 new certs (#93) (@loicsikidi)

Generated with GoReleaser 🚀

Contributors

loicsikidi

Assets 6

12 Jan 22:27

github-actions

2026-01-12

f7ae784

2026-01-12

TPM CA Certificates 2026-01-12

What's Changed

This release contains the TPM CA Certificates generated at commit f7ae784e504cc4dd4cceaacc86f79ee23f41c831.

Artifacts

tpm-ca-certificates.pem - The TPM trust bundle
tpm-intermediate-ca-certificates.pem - The TPM intermediate trust bundle
checksums.txt - SHA-256 checksum
checksums.txt.sigstore.json - Sigstore signature bundle for checksum verification

Verification

Important

If you are not familiar with the concepts around software supply chain security,
(eg. build provenance attestation, keyless signature, etc.), please read the following resources first:

Option 1: tpmtb CLI

Note

The following commands verify the integrity and provenance of each bundle artifact.

tpmtb is able to verify Github attestation signatures and Cosign keyless signatures natively (no need to install Cosign or gh).

Tip

Make sure to use tpmtb >= v0.5.0 to support intermediate bundle verification.

tpmtb bundle verify tpm-ca-certificates.pem
tpmtb bundle verify tpm-intermediate-ca-certificates.pem --type intermediate

Option 2: Cosign and GitHub CLI

The following process does the same thing as option 1:

Step 1: Verify Integrity with Cosign

First, verify the integrity of the checksums file using Cosign:

Tip

Make sure to use cosign >= v2.4.3 to support the Sigstore bundle format.

# Verify the checksums signature
cosign verify-blob \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp 'https://github.com/loicsikidi/tpm-ca-certificates/.github/workflows/release-bundle.yaml@refs/tags/2026-01-12' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  checksums.txt

# Verify the bundle matches the checksum
sha256sum -c checksums.txt

Step 2: Verify Provenance with GitHub CLI

Once the checksum integrity is established, verify the provenance using GitHub's attestation system:

gh attestation verify tpm-ca-certificates.pem --repo loicsikidi/tpm-ca-certificates
gh attestation verify tpm-intermediate-ca-certificates.pem --repo loicsikidi/tpm-ca-certificates

Option 3: Reproducibility

Warning

This method only verifies the integrity of each bundle.
To be fully secure it MUST be used in addition with gh attestation verify to validate provenance.

git clone https://github.com/loicsikidi/tpm-ca-certificates
cd tpm-ca-certificates
git checkout 2026-01-12
go run ./ generate --workers 10 --output tpm-ca-certificates.pem
go run ./ generate --workers 10 --config .tpm-intermediates.yaml --output tpm-intermediate-ca-certificates.pem --type intermediate
sha256sum tpm-ca-certificates.pem  # Compare with checksums.txt

Changelog

f7ae784: rot: add Microsoft TPM Root Certificate Authority (#88) (@loicsikidi)

Generated with GoReleaser 🚀

Contributors

loicsikidi

Assets 6

29 Dec 09:03

github-actions

v0.6.0

92fed91

v0.6.0

tpm-ca-certificates v0.6.0

What's Changed

This release contains the tpmtb binary and OCI images built from commit 92fed91be47b2440c5c6bf729129391b5e588cc0.

Artifacts

tpmtb_$VERSION_$OS_$ARCH.$EXTENSION - CLI binaries for various platforms (stored in archives)
tpmtb_$VERSION_$OS_$ARCH.$EXTENSION.sbom.json - SBOMs for the binaries in SPDX format
checksums.txt - SHA-256 checksums of all artifacts
checksums.txt.sigstore.json - Sigstore signature bundle for checksum verification

OCI Images

docker pull ghcr.io/loicsikidi/tpm-ca-certificates/tpmtb:v0.6.0
docker pull ghcr.io/loicsikidi/tpm-ca-certificates/tpmtb:latest

Verification

Important

If you are not familiar with the concepts around software supply chain security,
(eg. build provenance attestation, keyless signature, etc.), please read the following resources first:

1. Artefacts with Cosign and GitHub CLI

For complete security verification, follow this two-step process:

Step 1: Verify Integrity with Cosign

First, verify the integrity of the checksums file using Cosign:

Tip

Make sure to use cosign >= v2.4.3 to support the Sigstore bundle format.

# Verify the checksums signature
cosign verify-blob \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp 'https://github.com/loicsikidi/tpm-ca-certificates/.github/workflows/release.yaml@refs/tags/v0.6.0' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  checksums.txt

# Verify any artifact matches the checksum
sha256sum -c checksums.txt

Step 2: Verify Provenance with GitHub CLI

Once the checksum integrity is established, verify the provenance using GitHub's attestation system:

# Verify the archive
gh attestation verify tpmtb_0.6.0_linux_amd64.tar.gz --repo loicsikidi/tpm-ca-certificates

2. OCI Provenance

gh attestation verify oci://ghcr.io/loicsikidi/tpm-ca-certificates/tpmtb:v0.6.0 --repo loicsikidi/tpm-ca-certificates

Changelog

92fed91: feat(api): harmonize API function names (#71) (@loicsikidi)
- ⚠️ this change introduces several BREAKING CHANGES

Generated with GoReleaser 🚀

Contributors

loicsikidi

Assets 16

29 Dec 07:34

github-actions

v0.5.0

35975df

v0.5.0

tpm-ca-certificates v0.5.0

What's Changed

This release contains the tpmtb binary and OCI images built from commit 35975df8f290eaf2d802c1418dc34f2d985282f2.

Artifacts

tpmtb_$VERSION_$OS_$ARCH.$EXTENSION - CLI binaries for various platforms (stored in archives)
tpmtb_$VERSION_$OS_$ARCH.$EXTENSION.sbom.json - SBOMs for the binaries in SPDX format
checksums.txt - SHA-256 checksums of all artifacts
checksums.txt.sigstore.json - Sigstore signature bundle for checksum verification

OCI Images

docker pull ghcr.io/loicsikidi/tpm-ca-certificates/tpmtb:v0.5.0
docker pull ghcr.io/loicsikidi/tpm-ca-certificates/tpmtb:latest

Verification

Important

If you are not familiar with the concepts around software supply chain security,
(eg. build provenance attestation, keyless signature, etc.), please read the following resources first:

1. Artefacts with Cosign and GitHub CLI

For complete security verification, follow this two-step process:

Step 1: Verify Integrity with Cosign

First, verify the integrity of the checksums file using Cosign:

Tip

Make sure to use cosign >= v2.4.3 to support the Sigstore bundle format.

# Verify the checksums signature
cosign verify-blob \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp 'https://github.com/loicsikidi/tpm-ca-certificates/.github/workflows/release.yaml@refs/tags/v0.5.0' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  checksums.txt

# Verify any artifact matches the checksum
sha256sum -c checksums.txt

Step 2: Verify Provenance with GitHub CLI

Once the checksum integrity is established, verify the provenance using GitHub's attestation system:

# Verify the archive
gh attestation verify tpmtb_0.5.0_linux_amd64.tar.gz --repo loicsikidi/tpm-ca-certificates

2. OCI Provenance

gh attestation verify oci://ghcr.io/loicsikidi/tpm-ca-certificates/tpmtb:v0.5.0 --repo loicsikidi/tpm-ca-certificates

Changelog

NEW 💫

API
- add Save method (#56) (@loicsikidi)
- support offline verification in VerifyTrustBundle and Load methods (#58) (@loicsikidi)
- GetTrustBundle retrieve intermediate bundle (#65) (@loicsikidi)
- add GetVerifyOptions, VerifyCertificate and Contains functions to TrustBundle interface (#68) (@loicsikidi)
CLI
- support stdin in bundle verify command (#54) (@loicsikidi)
- add bundle save command (#56) (@loicsikidi)
- support --offline --cache-dir flags in bundle verify to perform an offline verificate (#58) (@loicsikidi)
- add/remove flag shortcut (#70) (@loicsikidi)

FIX 🐛

CLI
- infer hash algo from --fingerprint in certificates add command (#69) (@loicsikidi)

Generated with GoReleaser 🚀

Contributors

loicsikidi

Assets 16

29 Dec 21:39

github-actions

2025-12-29

dadf402

2025-12-29

TPM CA Certificates 2025-12-29

What's Changed

This release contains the TPM CA Certificates generated at commit dadf40282f8c846961c70ba56337455a74dd823a.

Artifacts

tpm-ca-certificates.pem - The TPM trust bundle
tpm-intermediate-ca-certificates.pem - The TPM intermediate trust bundle
checksums.txt - SHA-256 checksum
checksums.txt.sigstore.json - Sigstore signature bundle for checksum verification

Verification

Important

If you are not familiar with the concepts around software supply chain security,
(eg. build provenance attestation, keyless signature, etc.), please read the following resources first:

Option 1: tpmtb CLI

Note

The following commands verify the integrity and provenance of each bundle artifact.

tpmtb is able to verify Github attestation signatures and Cosign keyless signatures natively (no need to install Cosign or gh).

Tip

Make sure to use tpmtb >= v0.5.0 to support intermediate bundle verification.

tpmtb bundle verify tpm-ca-certificates.pem
tpmtb bundle verify tpm-intermediate-ca-certificates.pem --type intermediate

Option 2: Cosign and GitHub CLI

The following process does the same thing as option 1:

Step 1: Verify Integrity with Cosign

First, verify the integrity of the checksums file using Cosign:

Tip

Make sure to use cosign >= v2.4.3 to support the Sigstore bundle format.

# Verify the checksums signature
cosign verify-blob \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp 'https://github.com/loicsikidi/tpm-ca-certificates/.github/workflows/release-bundle.yaml@refs/tags/2025-12-29' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  checksums.txt

# Verify the bundle matches the checksum
sha256sum -c checksums.txt

Step 2: Verify Provenance with GitHub CLI

Once the checksum integrity is established, verify the provenance using GitHub's attestation system:

gh attestation verify tpm-ca-certificates.pem --repo loicsikidi/tpm-ca-certificates
gh attestation verify tpm-intermediate-ca-certificates.pem --repo loicsikidi/tpm-ca-certificates

Option 3: Reproducibility

Warning

This method only verifies the integrity of each bundle.
To be fully secure it MUST be used in addition with gh attestation verify to validate provenance.

git clone https://github.com/loicsikidi/tpm-ca-certificates
cd tpm-ca-certificates
git checkout 2025-12-29
go run ./ generate --workers 10 --output tpm-ca-certificates.pem
go run ./ generate --workers 10 --config .tpm-intermediates.yaml --output tpm-intermediate-ca-certificates.pem --type intermediate
sha256sum tpm-ca-certificates.pem  # Compare with checksums.txt

Changelog

Certificate	Type	Vendor	Action
Infineon OPTIGA(TM) ECC Manufacturing CA 000	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 001	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 002	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 003	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 004	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 005	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 006	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 007	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 008	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 009	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 010	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 011	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 012	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 013	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 016	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 017	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 018	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 019	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 020	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 021	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 022	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 023	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 024	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 025	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 026	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 029	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 030	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 033	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 034	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 035	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) ECC Manufacturing CA 036	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 000	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 001	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 002	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 003	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 004	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 005	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 006	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 007	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 008	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 009	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 010	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 011	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 012	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 013	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 016	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 017	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 018	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 019	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 020	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 021	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 022	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 023	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 024	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 025	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 026	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 029	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 030	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 033	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 034	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 035	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) RSA Manufacturing CA 036	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 037	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 038	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 039	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 040	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 041	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 042	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 048	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 051	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 052	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 053	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 054	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 055	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 056	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 059	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 060	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 061	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 062	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 064	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 065	Intermediate	Infineon	ADD
Infineon OPTIGA(TM) TPM 2.0 ECC CA 066	Intermediate...

Contributors

loicsikidi

Assets 6

27 Dec 15:29

github-actions

2025-12-27

1a2b1ce

2025-12-27

TPM CA Certificates 2025-12-27

What's Changed

This release contains the TPM CA Certificates generated at commit 1a2b1ce169250ab68715574dd4594acd0205fb68.

Artifacts

tpm-ca-certificates.pem - The TPM trust bundle
tpm-intermediate-ca-certificates.pem - The TPM intermediate trust bundle
checksums.txt - SHA-256 checksum
checksums.txt.sigstore.json - Sigstore signature bundle for checksum verification

Verification

Important

If you are not familiar with the concepts around software supply chain security,
(eg. build provenance attestation, keyless signature, etc.), please read the following resources first:

Option 1: tpmtb CLI

Note

The following commands verify the integrity and provenance of each bundle artifact.

tpmtb is able to verify Github attestation signatures and Cosign keyless signatures natively (no need to install Cosign or gh).

Tip

Make sure to use tpmtb >= v0.5.0 to support intermediate bundle verification.

tpmtb bundle verify tpm-ca-certificates.pem
tpmtb bundle verify tpm-intermediate-ca-certificates.pem --type intermediate

Option 2: Cosign and GitHub CLI

The following process does the same thing as option 1:

Step 1: Verify Integrity with Cosign

First, verify the integrity of the checksums file using Cosign:

Tip

Make sure to use cosign >= v2.4.3 to support the Sigstore bundle format.

# Verify the checksums signature
cosign verify-blob \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp 'https://github.com/loicsikidi/tpm-ca-certificates/.github/workflows/release-bundle.yaml@refs/tags/2025-12-27' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  checksums.txt

# Verify the bundle matches the checksum
sha256sum -c checksums.txt

Step 2: Verify Provenance with GitHub CLI

Once the checksum integrity is established, verify the provenance using GitHub's attestation system:

gh attestation verify tpm-ca-certificates.pem --repo loicsikidi/tpm-ca-certificates
gh attestation verify tpm-intermediate-ca-certificates.pem --repo loicsikidi/tpm-ca-certificates

Option 3: Reproducibility

Warning

This method only verifies the integrity of each bundle.
To be fully secure it MUST be used in addition with gh attestation verify to validate provenance.

git clone https://github.com/loicsikidi/tpm-ca-certificates
cd tpm-ca-certificates
git checkout 2025-12-27
go run ./ generate --workers 10 --output tpm-ca-certificates.pem
go run ./ generate --workers 10 --config .tpm-intermediates.yaml --output tpm-intermediate-ca-certificates.pem --type intermediate
sha256sum tpm-ca-certificates.pem  # Compare with checksums.txt

Changelog

Certificate	Type	Vendor	Action
NPCTxxx ECC384 LeafCA 012110	Intermediate	NTC	ADD
NPCTxxx ECC384 LeafCA 012111	Intermediate	NTC	ADD
NPCTxxx ECC384 LeafCA 022110	Intermediate	NTC	ADD
NPCTxxx ECC384 LeafCA 022111	Intermediate	NTC	ADD

4225734: rot(NTC): add 4 intermediate certs (#61) (@loicsikidi)

Generated with GoReleaser 🚀

Contributors

loicsikidi

Assets 6

26 Dec 15:41

github-actions

v0.5.0-rc1

752fee2

v0.5.0-rc1 Pre-release

Pre-release

tpm-ca-certificates v0.5.0-rc1

What's Changed

This release contains the tpmtb binary and OCI images built from commit 752fee24686566e951c75a538f707c4a468fc16b.

Artifacts

tpmtb_$VERSION_$OS_$ARCH.$EXTENSION - CLI binaries for various platforms (stored in archives)
tpmtb_$VERSION_$OS_$ARCH.$EXTENSION.sbom.json - SBOMs for the binaries in SPDX format
checksums.txt - SHA-256 checksums of all artifacts
checksums.txt.sigstore.json - Sigstore signature bundle for checksum verification

OCI Images

docker pull ghcr.io/loicsikidi/tpm-ca-certificates/tpmtb:v0.5.0-rc1
docker pull ghcr.io/loicsikidi/tpm-ca-certificates/tpmtb:latest

Verification

Important

If you are not familiar with the concepts around software supply chain security,
(eg. build provenance attestation, keyless signature, etc.), please read the following resources first:

1. Artefacts with Cosign and GitHub CLI

For complete security verification, follow this two-step process:

Step 1: Verify Integrity with Cosign

First, verify the integrity of the checksums file using Cosign:

Tip

Make sure to use cosign >= v2.4.3 to support the Sigstore bundle format.

# Verify the checksums signature
cosign verify-blob \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp 'https://github.com/loicsikidi/tpm-ca-certificates/.github/workflows/release.yaml@refs/tags/v0.5.0-rc1' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  checksums.txt

# Verify any artifact matches the checksum
sha256sum -c checksums.txt

Step 2: Verify Provenance with GitHub CLI

Once the checksum integrity is established, verify the provenance using GitHub's attestation system:

# Verify the archive
gh attestation verify tpmtb_0.5.0-rc1_linux_amd64.tar.gz --repo loicsikidi/tpm-ca-certificates

2. OCI Provenance

gh attestation verify oci://ghcr.io/loicsikidi/tpm-ca-certificates/tpmtb:v0.5.0-rc1 --repo loicsikidi/tpm-ca-certificates

Changelog

NEW 💫
- API
  - add Save method (#56) (@loicsikidi)
  - support offline verification in VerifyTrustBundle and Load methods (#58) (@loicsikidi)
- CLI
  - support stdin in bundle verify command (#54) (@loicsikidi)
  - add bundle save command (#56) (@loicsikidi)
  - support --offline --cache-dir flags in bundle verify to perform an offline verificate (#58) (@loicsikidi)

Generated with GoReleaser 🚀

Contributors

loicsikidi

Assets 16

26 Dec 16:16

github-actions

v0.4.1

bdbba62

v0.4.1

tpm-ca-certificates v0.4.1

What's Changed

This release contains the tpmtb binary and OCI images built from commit bdbba6241bca2f718c4f7cc83ad83427336a5174.

Artifacts

tpmtb_$VERSION_$OS_$ARCH.$EXTENSION - CLI binaries for various platforms (stored in archives)
tpmtb_$VERSION_$OS_$ARCH.$EXTENSION.sbom.json - SBOMs for the binaries in SPDX format
checksums.txt - SHA-256 checksums of all artifacts
checksums.txt.sigstore.json - Sigstore signature bundle for checksum verification

OCI Images

docker pull ghcr.io/loicsikidi/tpm-ca-certificates/tpmtb:v0.4.1
docker pull ghcr.io/loicsikidi/tpm-ca-certificates/tpmtb:latest

Verification

Important

If you are not familiar with the concepts around software supply chain security,
(eg. build provenance attestation, keyless signature, etc.), please read the following resources first:

1. Artefacts with Cosign and GitHub CLI

For complete security verification, follow this two-step process:

Step 1: Verify Integrity with Cosign

First, verify the integrity of the checksums file using Cosign:

Tip

Make sure to use cosign >= v2.4.3 to support the Sigstore bundle format.

# Verify the checksums signature
cosign verify-blob \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp 'https://github.com/loicsikidi/tpm-ca-certificates/.github/workflows/release.yaml@refs/tags/v0.4.1' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  checksums.txt

# Verify any artifact matches the checksum
sha256sum -c checksums.txt

Step 2: Verify Provenance with GitHub CLI

Once the checksum integrity is established, verify the provenance using GitHub's attestation system:

# Verify the archive
gh attestation verify tpmtb_0.4.1_linux_amd64.tar.gz --repo loicsikidi/tpm-ca-certificates

2. OCI Provenance

gh attestation verify oci://ghcr.io/loicsikidi/tpm-ca-certificates/tpmtb:v0.4.1 --repo loicsikidi/tpm-ca-certificates

Changelog

bdbba62: fix: drop log when bundle is display in stdout (#50) (@loicsikidi)

Generated with GoReleaser 🚀

Contributors

loicsikidi

Assets 16

Releases: loicsikidi/tpm-ca-certificates

v0.7.0

tpm-ca-certificates v0.7.0

What's Changed

Artifacts

OCI Images

Verification

1. Artefacts with Cosign and GitHub CLI

2. OCI Provenance

Changelog

Contributors

Uh oh!

2026-02-04

TPM CA Certificates 2026-02-04

What's Changed

Artifacts

Verification

Option 1: tpmtb CLI

Option 2: Cosign and GitHub CLI

Option 3: Reproducibility

Changelog

Contributors

Uh oh!

2026-01-22

TPM CA Certificates 2026-01-22

What's Changed

Artifacts

Verification

Option 1: tpmtb CLI

Option 2: Cosign and GitHub CLI

Option 3: Reproducibility

Changelog

Contributors

Uh oh!

2026-01-12

TPM CA Certificates 2026-01-12

What's Changed

Artifacts

Verification

Option 1: tpmtb CLI

Option 2: Cosign and GitHub CLI

Option 3: Reproducibility

Changelog

Contributors

Uh oh!

v0.6.0

tpm-ca-certificates v0.6.0

What's Changed

Artifacts

OCI Images

Verification

1. Artefacts with Cosign and GitHub CLI

2. OCI Provenance

Changelog

Contributors

Uh oh!

v0.5.0

tpm-ca-certificates v0.5.0

What's Changed

Artifacts

OCI Images

Verification

1. Artefacts with Cosign and GitHub CLI

2. OCI Provenance

Changelog

Contributors

Uh oh!

2025-12-29

TPM CA Certificates 2025-12-29

What's Changed

Artifacts

Verification

Option 1: tpmtb CLI

Option 2: Cosign and GitHub CLI

Option 3: Reproducibility

Changelog

Contributors

Uh oh!

2025-12-27

TPM CA Certificates 2025-12-27