Skip to content

fix: use sigstore-go TUF client for verify to match initialize#763

Open
SequeI wants to merge 1 commit intosigstore:mainfrom
SequeI:fixTuf
Open

fix: use sigstore-go TUF client for verify to match initialize#763
SequeI wants to merge 1 commit intosigstore:mainfrom
SequeI:fixTuf

Conversation

@SequeI
Copy link

@SequeI SequeI commented Feb 11, 2026

Summary

gitsign initialize writes the TUF cache in sigstore-go format, but verify was reading using the old sigstore/sigstore TUF client which expects a different cache layout. This caused verify to fall back to its expired embedded root. Switch all TUF reads to sigstore-go so initialize and verify use the same cache.

Now, gitsign verify will work with gitsign/cosign initialize as it works off the same sigstore cache format.

Release Note

Documentation

gitsign initialize writes the TUF cache in sigstore-go format, but
verify was reading using the old sigstore/sigstore TUF client which
expects a different cache layout. This caused verify to fall back to
its expired embedded root. Switch all TUF reads to sigstore-go so
initialize and verify use the same cache.

Signed-off-by: SequeI <asiek@redhat.com>
@gittuf-app-beta
Copy link

Observed review from tommyd450+59835082 (@tommyd450)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants