Merge pull request #22 from tonistiigi/update-tuf-roots-20260205

tonistiigi · web-flow · commit 773cd4aa4cfd · 2026-02-05T13:04:03.000-08:00
update embedded tuf roots
diff --git a/docker-bake.hcl b/docker-bake.hcl
@@ -2,7 +2,7 @@ variable "ROOT_SIGNING_VERSION" {
     type    = string
     # default = "8842feefbb65effea46ff4a0f2b6aad91e685fe9" # expired root
     # default = "9d8b5c5e3bed603c80b57fcc316b7a1af688c57e" # expired timestamp
-    default = "b72505e865a7c68bd75e03272fa66512bcb41bb1"
+    default = "a72700d5c80d43a209d31325fee46facc6f0cf31"
     description = "The git commit hash of sigstore/root-signing to use for embedded roots."
 }
 
diff --git a/roots/tuf-root/root.json b/roots/tuf-root/root.json
@@ -1,34 +1,30 @@
 {
  "signatures": [
-  {
-   "keyid": "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3",
-   "sig": ""
-  },
   {
    "keyid": "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2",
-   "sig": "3045022100bbddd464f8066ceb88ba787375c12cd6330680e08c2910703e6538c71cc79ad202205190b06e4537fe961b3ef81fe68edcd0089c19f919afed423b9aafd700641153"
+   "sig": "3046022100e04c9706299be5d8c2b14fb50bcd5b9c241f10597153dfe22f943efe896b5150022100cfd7b9f06a5900784e312d02b8e336edbb3b2fab61ac14550b3112b4f9e33df4"
   },
   {
    "keyid": "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06",
-   "sig": "3044022069306cd5257f732a740c1afe60a8e433c5de58eafeadbe99c336c9c71d198cf802200d773953ae7dbc48d3e5bad9a6f64bafff196b7e2ad4a52a19519367d47dc042"
+   "sig": ""
   },
   {
    "keyid": "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222",
-   "sig": "304402204d21a2ec80df66e61f6fe2912951dc47df836036f8c0ab10816d375e71dbf79e0220547adce1afdf04e6794efa203dd5264c6f7e0ef78e57fe934b0d26cb994eec76"
+   "sig": "3045022100cc308ae7d390fa782ee3376ddfaa929835016e86dad81f69e2de7ec1e174432e02205fb19906a31cce146c29624443c0d0c2f33ee80dac39d72114f939607cc22937"
   },
   {
    "keyid": "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70",
-   "sig": "3045022060826496557144eb1649893ed5f6f4ea54536feb0ca82f8b89ae641be39743e5022100ad7118b5e9d4837326206e412fc6da2999925d110328a7c166b06c624336c93f"
+   "sig": "304502203f8aff7a30e05a8c3d904b671ab1a6e4e8a6f508b7cfa0c780e72976bee7a227022100f64c9b765526f34d9ea16339cf238893e1c3368b4f0910a61a1af27dda01ebb9"
   },
   {
    "keyid": "183e64f37670dc13ca0d28995a3053f3740954ddce44321a41e46534cf44e632",
-   "sig": "3046022100d8179439c2e73eb0c1733abee7faf832dcaea7263edcb4919891c3a247f05923022100e1a437e0797e803f9b72dc9d2d92155b0a2270c24efdd5f4b3a5d8f0b0f431a7"
+   "sig": "304502202363ca249aefa6d5f61c408a32cdd079b034a7888ddf2136dc4515ed4a728418022100b04eca42bc510ccbbf5d30783aaa936b1f137ca7a017ee9d90d3710432da0427"
   }
  ],
  "signed": {
   "_type": "root",
   "consistent_snapshot": true,
-  "expires": "2026-01-22T13:05:59Z",
+  "expires": "2026-06-22T13:27:01Z",
   "keys": {
    "0c87432c3bf09fd99189fdc32fa5eaedf4e4a5fac7bab73fa04a2e0fc64af6f5": {
     "keyid_hash_algorithms": [
@@ -138,7 +134,7 @@
    }
   },
   "spec_version": "1.0",
-  "version": 13,
+  "version": 14,
   "x-tuf-on-ci-expiry-period": 197,
   "x-tuf-on-ci-signing-period": 46
  }
diff --git a/roots/tuf-root/snapshot.json b/roots/tuf-root/snapshot.json
@@ -2,15 +2,15 @@
  "signatures": [
   {
    "keyid": "0c87432c3bf09fd99189fdc32fa5eaedf4e4a5fac7bab73fa04a2e0fc64af6f5",
-   "sig": "3044022043cdc6f2ee47ee7b4486ab92ce58424ef0b7b351a47853ea68316b67133a4a69022037c5cd433cc2cde76558c579c59a14dd9fc0bc85c496feaa17d90896cd4145fb"
+   "sig": "3046022100a42f44341870864aa7e4f94af642ed68e09890aa109d76947276e24f13c315f2022100c3efb5500a4b67cb03a0fe708db32d8f5f151aad4bbacfd6679437e8c5fa5f9f"
   }
  ],
  "signed": {
   "_type": "snapshot",
-  "expires": "2035-10-08T16:46:31Z",
+  "expires": "2035-11-24T12:02:06Z",
   "meta": {
    "registry.npmjs.org.json": {
-    "version": 6
+    "version": 7
    },
    "rekor.json": {
     "hashes": {
@@ -49,6 +49,6 @@
    }
   },
   "spec_version": "1.0",
-  "version": 162
+  "version": 163
  }
 }
diff --git a/roots/tuf-root/timestamp.json b/roots/tuf-root/timestamp.json
@@ -2,18 +2,18 @@
  "signatures": [
   {
    "keyid": "0c87432c3bf09fd99189fdc32fa5eaedf4e4a5fac7bab73fa04a2e0fc64af6f5",
-   "sig": "3046022100baf8a66a62531e9db32df4a1475099798cc6126add00193c8b641ed3dfb83b2c022100eedbc40511f1f72459b95188995917ad564992a2258436a96d27885c063b7de1"
+   "sig": "3046022100d7ef32458ba07441f1d840bae2d7cf5740ec01462499439e02f8ad9b5c53777f0221009c56763e60f8311a45c148f4276163c9f2b241ce0da65202f92f5de4ce2e4445"
   }
  ],
  "signed": {
   "_type": "timestamp",
-  "expires": "2025-11-02T01:55:53Z",
+  "expires": "2026-02-12T13:42:54Z",
   "meta": {
    "snapshot.json": {
-    "version": 162
+    "version": 163
    }
   },
   "spec_version": "1.0",
-  "version": 498
+  "version": 587
  }
 }

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@ variable "ROOT_SIGNING_VERSION" {`
`2`	`2`	`type = string`
`3`	`3`	`# default = "8842feefbb65effea46ff4a0f2b6aad91e685fe9" # expired root`
`4`	`4`	`# default = "9d8b5c5e3bed603c80b57fcc316b7a1af688c57e" # expired timestamp`
`5`		`- default = "b72505e865a7c68bd75e03272fa66512bcb41bb1"`
	`5`	`+ default = "a72700d5c80d43a209d31325fee46facc6f0cf31"`
`6`	`6`	`description = "The git commit hash of sigstore/root-signing to use for embedded roots."`
`7`	`7`	`}`
`8`	`8`
Original file line number	Diff line number	Diff line change
`@@ -1,34 +1,30 @@`
`1`	`1`	`{`
`2`	`2`	`"signatures": [`
`3`		`- {`
`4`		`- "keyid": "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3",`
`5`		`- "sig": ""`
`6`		`- },`
`7`	`3`	`{`
`8`	`4`	`"keyid": "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2",`
`9`		`- "sig": "3045022100bbddd464f8066ceb88ba787375c12cd6330680e08c2910703e6538c71cc79ad202205190b06e4537fe961b3ef81fe68edcd0089c19f919afed423b9aafd700641153"`
	`5`	`+ "sig": "3046022100e04c9706299be5d8c2b14fb50bcd5b9c241f10597153dfe22f943efe896b5150022100cfd7b9f06a5900784e312d02b8e336edbb3b2fab61ac14550b3112b4f9e33df4"`
`10`	`6`	`},`
`11`	`7`	`{`
`12`	`8`	`"keyid": "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06",`
`13`		`- "sig": "3044022069306cd5257f732a740c1afe60a8e433c5de58eafeadbe99c336c9c71d198cf802200d773953ae7dbc48d3e5bad9a6f64bafff196b7e2ad4a52a19519367d47dc042"`
	`9`	`+ "sig": ""`
`14`	`10`	`},`
`15`	`11`	`{`
`16`	`12`	`"keyid": "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222",`
`17`		`- "sig": "304402204d21a2ec80df66e61f6fe2912951dc47df836036f8c0ab10816d375e71dbf79e0220547adce1afdf04e6794efa203dd5264c6f7e0ef78e57fe934b0d26cb994eec76"`
	`13`	`+ "sig": "3045022100cc308ae7d390fa782ee3376ddfaa929835016e86dad81f69e2de7ec1e174432e02205fb19906a31cce146c29624443c0d0c2f33ee80dac39d72114f939607cc22937"`
`18`	`14`	`},`
`19`	`15`	`{`
`20`	`16`	`"keyid": "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70",`
`21`		`- "sig": "3045022060826496557144eb1649893ed5f6f4ea54536feb0ca82f8b89ae641be39743e5022100ad7118b5e9d4837326206e412fc6da2999925d110328a7c166b06c624336c93f"`
	`17`	`+ "sig": "304502203f8aff7a30e05a8c3d904b671ab1a6e4e8a6f508b7cfa0c780e72976bee7a227022100f64c9b765526f34d9ea16339cf238893e1c3368b4f0910a61a1af27dda01ebb9"`
`22`	`18`	`},`
`23`	`19`	`{`
`24`	`20`	`"keyid": "183e64f37670dc13ca0d28995a3053f3740954ddce44321a41e46534cf44e632",`
`25`		`- "sig": "3046022100d8179439c2e73eb0c1733abee7faf832dcaea7263edcb4919891c3a247f05923022100e1a437e0797e803f9b72dc9d2d92155b0a2270c24efdd5f4b3a5d8f0b0f431a7"`
	`21`	`+ "sig": "304502202363ca249aefa6d5f61c408a32cdd079b034a7888ddf2136dc4515ed4a728418022100b04eca42bc510ccbbf5d30783aaa936b1f137ca7a017ee9d90d3710432da0427"`
`26`	`22`	`}`
`27`	`23`	`],`
`28`	`24`	`"signed": {`
`29`	`25`	`"_type": "root",`
`30`	`26`	`"consistent_snapshot": true,`
`31`		`- "expires": "2026-01-22T13:05:59Z",`
	`27`	`+ "expires": "2026-06-22T13:27:01Z",`
`32`	`28`	`"keys": {`
`33`	`29`	`"0c87432c3bf09fd99189fdc32fa5eaedf4e4a5fac7bab73fa04a2e0fc64af6f5": {`
`34`	`30`	`"keyid_hash_algorithms": [`
`@@ -138,7 +134,7 @@`
`138`	`134`	`}`
`139`	`135`	`},`
`140`	`136`	`"spec_version": "1.0",`
`141`		`- "version": 13,`
	`137`	`+ "version": 14,`
`142`	`138`	`"x-tuf-on-ci-expiry-period": 197,`
`143`	`139`	`"x-tuf-on-ci-signing-period": 46`
`144`	`140`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,15 +2,15 @@`
`2`	`2`	`"signatures": [`
`3`	`3`	`{`
`4`	`4`	`"keyid": "0c87432c3bf09fd99189fdc32fa5eaedf4e4a5fac7bab73fa04a2e0fc64af6f5",`
`5`		`- "sig": "3044022043cdc6f2ee47ee7b4486ab92ce58424ef0b7b351a47853ea68316b67133a4a69022037c5cd433cc2cde76558c579c59a14dd9fc0bc85c496feaa17d90896cd4145fb"`
	`5`	`+ "sig": "3046022100a42f44341870864aa7e4f94af642ed68e09890aa109d76947276e24f13c315f2022100c3efb5500a4b67cb03a0fe708db32d8f5f151aad4bbacfd6679437e8c5fa5f9f"`
`6`	`6`	`}`
`7`	`7`	`],`
`8`	`8`	`"signed": {`
`9`	`9`	`"_type": "snapshot",`
`10`		`- "expires": "2035-10-08T16:46:31Z",`
	`10`	`+ "expires": "2035-11-24T12:02:06Z",`
`11`	`11`	`"meta": {`
`12`	`12`	`"registry.npmjs.org.json": {`
`13`		`- "version": 6`
	`13`	`+ "version": 7`
`14`	`14`	`},`
`15`	`15`	`"rekor.json": {`
`16`	`16`	`"hashes": {`
`@@ -49,6 +49,6 @@`
`49`	`49`	`}`
`50`	`50`	`},`
`51`	`51`	`"spec_version": "1.0",`
`52`		`- "version": 162`
	`52`	`+ "version": 163`
`53`	`53`	`}`
`54`	`54`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,18 +2,18 @@`
`2`	`2`	`"signatures": [`
`3`	`3`	`{`
`4`	`4`	`"keyid": "0c87432c3bf09fd99189fdc32fa5eaedf4e4a5fac7bab73fa04a2e0fc64af6f5",`
`5`		`- "sig": "3046022100baf8a66a62531e9db32df4a1475099798cc6126add00193c8b641ed3dfb83b2c022100eedbc40511f1f72459b95188995917ad564992a2258436a96d27885c063b7de1"`
	`5`	`+ "sig": "3046022100d7ef32458ba07441f1d840bae2d7cf5740ec01462499439e02f8ad9b5c53777f0221009c56763e60f8311a45c148f4276163c9f2b241ce0da65202f92f5de4ce2e4445"`
`6`	`6`	`}`
`7`	`7`	`],`
`8`	`8`	`"signed": {`
`9`	`9`	`"_type": "timestamp",`
`10`		`- "expires": "2025-11-02T01:55:53Z",`
	`10`	`+ "expires": "2026-02-12T13:42:54Z",`
`11`	`11`	`"meta": {`
`12`	`12`	`"snapshot.json": {`
`13`		`- "version": 162`
	`13`	`+ "version": 163`
`14`	`14`	`}`
`15`	`15`	`},`
`16`	`16`	`"spec_version": "1.0",`
`17`		`- "version": 498`
	`17`	`+ "version": 587`
`18`	`18`	`}`
`19`	`19`	`}`