refactor: API for fetching / using the trust root

README.md

@@ -44,8 +44,8 @@ sigstore-sign = "0.1"
 use sigstore_verify::{Verifier, VerificationPolicy};
 use sigstore_trust_root::TrustedRoot;
 
-// Load the trusted root (contains Fulcio CA, Rekor keys, etc.)
-let root = TrustedRoot::production()?;
+// Load the trusted root via TUF (recommended - ensures up-to-date trust material)
+let root = TrustedRoot::production().await?;
 let verifier = Verifier::new(&root);
 
 // Parse the bundle (contains signature, certificate, transparency log entry)

crates/sigstore-conformance/src/main.rs

@@ -7,7 +7,7 @@
 
 use sigstore_oidc::IdentityToken;
 use sigstore_sign::{SigningConfig as SignerSigningConfig, SigningContext};
-use sigstore_trust_root::{SigningConfig as TufSigningConfig, TrustedRoot};
+use sigstore_trust_root::{SigningConfig as TufSigningConfig, TrustedRoot, SIGSTORE_PRODUCTION_TRUSTED_ROOT};
 use sigstore_types::{Bundle, Sha256Hash, SignatureContent};
 use sigstore_verify::{verify, VerificationPolicy};
 
@@ -224,8 +224,9 @@ fn verify_bundle(args: &[String]) -> Result<(), Box<dyn std::error::Error>> {
     let trusted_root = if let Some(root_path) = trusted_root_path {
         TrustedRoot::from_file(&root_path)?
     } else {
-        // Default to production trusted root when not specified
-        TrustedRoot::production()?
+        // Default to embedded production trusted root when not specified
+        // For better freshness, use TrustedRoot::production().await in async contexts
+        TrustedRoot::from_json(SIGSTORE_PRODUCTION_TRUSTED_ROOT)?
     };
 
     // Load bundle

crates/sigstore-sign/src/sign.rs

@@ -10,7 +10,10 @@ use sigstore_oidc::IdentityToken;
 use sigstore_rekor::{
     DsseEntry, DsseEntryV2, HashedRekord, HashedRekordV2, RekorApiVersion, RekorClient,
 };
-use sigstore_trust_root::SigningConfig as TufSigningConfig;
+use sigstore_trust_root::{
+    SigningConfig as TufSigningConfig, SIGSTORE_PRODUCTION_SIGNING_CONFIG,
+    SIGSTORE_STAGING_SIGNING_CONFIG,
+};
 use sigstore_tsa::TimestampClient;
 use sigstore_types::{
     Artifact, Bundle, DerCertificate, DsseEnvelope, DsseSignature, KeyId, PayloadBytes, Sha256Hash,
@@ -49,15 +52,23 @@ impl SigningConfig {
     /// Create configuration for Sigstore public-good instance
     ///
     /// This uses the embedded signing config to get the best available endpoints.
+    /// For the most up-to-date endpoints, use `from_tuf_config()` with a TUF-fetched config.
     pub fn production() -> Self {
-        Self::from_tuf_config(&TufSigningConfig::production().expect("embedded config is valid"))
+        Self::from_tuf_config(
+            &TufSigningConfig::from_json(SIGSTORE_PRODUCTION_SIGNING_CONFIG)
+                .expect("embedded config is valid"),
+        )
     }
 
     /// Create configuration for Sigstore staging instance
     ///
     /// This uses the embedded signing config to get the best available endpoints.
+    /// For the most up-to-date endpoints, use `from_tuf_config()` with a TUF-fetched config.
     pub fn staging() -> Self {
-        Self::from_tuf_config(&TufSigningConfig::staging().expect("embedded config is valid"))
+        Self::from_tuf_config(
+            &TufSigningConfig::from_json(SIGSTORE_STAGING_SIGNING_CONFIG)
+                .expect("embedded config is valid"),
+        )
     }
 
     /// Create configuration from a TUF signing config

crates/sigstore-trust-root/Cargo.toml

@@ -8,7 +8,7 @@ repository.workspace = true
 rust-version.workspace = true
 
 [features]
-default = []
+default = ["tuf"]
 tuf = ["tough", "tokio", "futures", "directories", "url", "tracing"]
 
 [dependencies]
@@ -43,5 +43,6 @@ url = { workspace = true, optional = true }
 tracing = { workspace = true, optional = true }
 
 [dev-dependencies]
+tempfile = "3.25.0"
 # For testing
 tokio = { workspace = true, features = ["rt-multi-thread", "macros"] }

crates/sigstore-trust-root/README.md

@@ -9,10 +9,11 @@ This crate handles parsing and management of Sigstore trusted root bundles. The
 ## Features
 
 - **Trusted root parsing**: Load and parse `trusted_root.json` files
-- **Embedded roots**: Built-in production and staging trust anchors
-- **TUF support**: Optional secure fetching via The Update Framework (requires `tuf` feature)
+- **TUF support**: Secure fetching via The Update Framework (enabled by default)
+- **Embedded roots**: Built-in production and staging trust anchors for offline use
 - **Key extraction**: Extract public keys and certificates for verification
 - **Validity periods**: Time-based key and certificate validity checking
+- **Custom TUF repos**: Support for custom TUF repository URLs
 
 ## Trust Anchors
 
@@ -26,22 +27,41 @@ This crate handles parsing and management of Sigstore trusted root bundles. The
 ## Usage
 
 ```rust
-use sigstore_trust_root::TrustedRoot;
+use sigstore_trust_root::{TrustedRoot, SIGSTORE_PRODUCTION_TRUSTED_ROOT};
 
-// Use embedded production root
-let root = TrustedRoot::production()?;
+// Fetch via TUF (recommended - ensures up-to-date trust material)
+let root = TrustedRoot::production().await?;
+
+// Use embedded data (for offline use)
+let root = TrustedRoot::from_json(SIGSTORE_PRODUCTION_TRUSTED_ROOT)?;
 
 // Load from file
 let root = TrustedRoot::from_file("trusted_root.json")?;
+```
 
-// With TUF feature: fetch securely
-#[cfg(feature = "tuf")]
-let root = TrustedRoot::from_tuf().await?;
+### Custom TUF Repository
+
+```rust
+use sigstore_trust_root::{TrustedRoot, TufConfig};
+
+// Fetch from a custom TUF repository (e.g., for testing)
+let config = TufConfig::custom(
+    "https://sigstore.github.io/root-signing/",
+    include_bytes!("path/to/root.json"),
+);
+let root = TrustedRoot::from_tuf(config).await?;
 ```
 
 ## Cargo Features
 
-- `tuf` - Enable TUF-based secure fetching of trusted roots
+- `tuf` (default) - Enable TUF-based secure fetching of trusted roots
+
+To opt out of TUF support:
+
+```toml
+[dependencies]
+sigstore-trust-root = { version = "0.1", default-features = false }
+```
 
 ## Related Crates