zarf tools trusted-root create
Create a Sigstore trusted root
Create a Sigstore protobuf trusted root, either by retrieving the public Sigstore root via TUF or by composing one from provided verification material.
Use —with-default-services to retrieve the public-good Sigstore trusted root. Combine with —fulcio/—rekor/—ctfe/—tsa to extend or override defaults, or provide only service flags to compose a trusted root for private Sigstore infrastructure.
Respects the TUF_MIRROR, TUF_ROOT, and TUF_ROOT_JSON environment variables for custom TUF configurations.
zarf tools trusted-root create [flags] # Retrieve the public Sigstore trusted root via TUF zarf tools trusted-root create --with-default-services --out trusted_root.json
# Compose a trusted root from custom Sigstore infrastructure zarf tools trusted-root create \ --fulcio="url=https://fulcio.example.com,certificate-chain=/path/to/fulcio.pem" \ --rekor="url=https://rekor.example.com,public-key=/path/to/rekor.pub,start-time=2024-01-01T00:00:00Z" \ --out trusted_root.json
# Extend public defaults with additional private TSA zarf tools trusted-root create \ --with-default-services \ --tsa="url=https://tsa.example.com,certificate-chain=/path/to/tsa.pem" \ --out trusted_root.json --ctfe stringArray ctfe service specification, as a comma-separated key-value list. Required keys: url, public-key (path to PEM-encoded public key), start-time. Optional keys: end-time, origin. --fulcio stringArray fulcio service specification, as a comma-separated key-value list. Required keys: url, certificate-chain (path to PEM-encoded certificate chain). Optional keys: start-time, end-time. -h, --help help for create --no-default-ctfe removes the default CTFE URLs from the trusted root. --no-default-fulcio removes the default Fulcio URLs from the trusted root. --no-default-rekor removes the default Rekor URLs from the trusted root. --no-default-tsa removes the default TSA URLs from the trusted root. --out string path to output trusted root --rekor stringArray rekor service specification, as a comma-separated key-value list. Required keys: url, public-key (path to PEM-encoded public key), start-time. Optional keys: end-time, origin. --tsa stringArray timestamping authority specification, as a comma-separated key-value list. Required keys: url, certificate-chain (path to PEM-encoded certificate chain). Optional keys: start-time, end-time. --with-default-services use the Sigstore TUF root as default values to populate the trusted root. Specifying the other service flags will override the default values. -a, --architecture string Architecture for OCI images and Zarf packages --features stringToString [ALPHA] Provide a comma-separated list of feature names to bools to enable or disable. Ex. --features "foo=true,bar=false,baz=true" (default []) --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --log-format string Select a logging format. Defaults to 'console'. Valid options are: 'console', 'json', 'dev'. (default "console") -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") --no-color Disable terminal color codes in logging and stdout prints. --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --tmpdir string Specify the temporary directory to use for intermediate files --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache")- zarf tools trusted-root - Tools for working with Sigstore trusted roots