Closed
Description
Description
Tracking issue for the using the new Sigstore TUF client, https://github.com/sigstore/sigstore-go/blob/main/pkg/tuf/client.go. This client adds support for using the new trusted root metadata and improves caching logic.
This removes support for the per-target custom metadata, ie https://github.com/sigstore/scaffolding/blob/b0d09de38f7ea4ee5939a52cebadbc7127d4e127/pkg/repo/repo.go#L44-L48, which is used for private deployments. Given this will be a breaking change in Cosign, we can either switch to this client as part of Cosign 3.0, announce deprecation and wait X months, or support both TUF clients via a flag (temporarily, we would still announce deprecation of the previous TUF client).