Skip to content

Backport trust root fixes to 3.5.x #1578

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: series/3.5.x
Choose a base branch
from
Open

Backport trust root fixes to 3.5.x #1578

wants to merge 4 commits into from
+25 −6

Conversation

jku
Copy link
Member

@jku jku commented Oct 14, 2025
edited
Loading

I would say I generally don't want to actively maintain more than two series at the same time... However to get #1575 started on the right foot we could still do a patch release of 3.5.x (and then make it clear it's unsupported).

CC @di this is your idea from #1575

jku and others added 3 commits October 14, 2025 20:28
@jku
Backport: internal/trust: Fix bug in rekor key lookup
b7934cf 
Rekor keyring can (and in future will) have multiple keys:
logs not only get sharded but once rekor-tiles is integrated in the
public good instance, there will be two writable logs for a while.

Backport of sigstore#1350

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
Backport sigstore#1424
ea46408 
Fail less hard when unsupported keys are seen

Current trusted root contains keys this client version does not
understand: the keys are not necessary to verify or sign
bundles with rekor v1

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@woodruffw @jku
Backport: ci: fix offline tests on ubuntu-latest
01c96b3 
Backport of sigstore#1283

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku jku force-pushed the backport-trust-root-fixes-to-3.5 branch from 3d16ab4 to 01c96b3 Compare October 14, 2025 17:39
@jku jku mentioned this pull request Oct 14, 2025
Draft
@jku jku marked this pull request as ready for review October 14, 2025 18:18
@jku jku marked this pull request as draft October 14, 2025 18:18
@jku
Copy link
Member Author

jku commented Oct 14, 2025

I'll still do the version bump and changelog update in this PR if we want to do this

@jku
Bump 3.5.x series to 3.5.4
f5b4587 
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
Copy link
Member Author

jku commented Oct 15, 2025

I'm marking this ready for review even though I'm not 100% sure we should do this:

  • On one hand I'd like to start CI: Add test that checks that old version can verify #1575 with as many release series in it as possible
  • On the other, I don't want to give the impression that 3.5.x is really maintained anymore (when we have both a newer major release 4.x and a newer minor release 3.6)

@jku jku marked this pull request as ready for review October 15, 2025 10:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jku @woodruffw