[targets v11] What to do with the GitHub TSA in trusted_root.json
#1268
Labels
enhancement
New feature or request
trusted_root.json
#1268
Description
Currently we ship GitHub's TSA as part of trusted_root.json
This was made in an effort to support the community and possibly the npm work with a TSA, but it's not used outside of GitHub to my knowledge.
The certificate for GitHub's TSA have now been rotated, and the rotation frequency is currently every 6 months (yes this is frequent!). This will pose a challenge for sigstore root signing to keep up.
I'm thinking if we should remove the TSA from
trusted_root.json
?cc @trevrosen @bobcallaway @haydentherapper
The text was updated successfully, but these errors were encountered: