Skip to content

Rekor v2 migration delta (gated on #194 spike) #107

Description

@michael-herwig

Part of #24. Gated on the #194 step-0 spike outcome. Blocked by #194.

Why

The original scope ("upgrade sigstore-rs to Rekor v2 / TUF root") described an upgrade of a dependency that does not exist yet — PR #87 ships no sigstore crate, and the TUF-distributed trust root lands with the pipeline itself in #194. What remains here is only the Rekor v1 → v2 delta.

Timing facts (verified 2026-07-09):

What

  1. Consume the Implement sign/verify pipeline via sigstore-rs (slice 2) #194 spike outcome:
  2. When sigstore-rs grows v2 support: sign against a Rekor v2 (Tessera-backed) log and verify v2 entries.
  3. Endpoint discovery stays dynamic via SigningConfig/TrustedRoot — no hardcoded Rekor URL anywhere (~6-month rotation).
  4. Keep Rekor v1 entry verification working — packages signed before the migration must still verify.

Acceptance criteria

  • Sign against a Rekor v2 log; entry verifies via the TUF-distributed trust root.
  • Bundles containing Rekor v1 entries still verify (backward compat for already-published packages).
  • No hardcoded Rekor endpoint — endpoint comes from SigningConfig/TrustedRoot only.
  • rekor.rs "v2 deferred" doc note removed or updated.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/ociSubsystem: ocisecuritySecurity-relevant change or hardening

    Type

    Fields

    No fields configured for Task.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions