This issue is to propose integrating The Update Framework (TUF)(https://theupdateframework.io/) into Notary Project as an optional mechanism for securely distributing and updating trust metadata—such as signing certificate authorities (CAs), trusted public keys, revocation lists, etc. TUF integration will provide users with robust, automated, and scalable trust management—critical for secure software supply chains. This aligns with Notary Project’s vision to standardize and secure artifact signing across ecosystems.
We could consider the following scope:
- Leverage existing Go TUF implementations (e.g., go-tuf.)
- Allow users to bootstrap a TUF root and configure TUF-based trust stores.
- Support pluggable TUF repository sources
- Extend Notation's trust policy system to validate against TUF-fetched trust metadata.
Benefits
| Capability |
Benefit |
| Automated Trust Rotation |
Safe key rotation and delegation using TUF roles and versioning. |
| Revocation Support |
Mitigate key compromise via timestamped revocation metadata. |
| Immutable Registry Metadata |
Secure mapping of tags to digests when stored in OCI registries. |
| Air-gapped & Enterprise-Ready |
BYO-TUF allows full control over internal root of trust. |
| Defense-in-Depth |
Adds an extra layer of resilience against rollback and replay attacks. |
User Scenarios
Enterprise/Private Environments
Host internal TUF repositories for secure distribution of org-wide signing certs, keys, and verification policies.
Key Rotation & Revocation
Use TUF to safely roll new keys/certs into Notation trust policy without manual intervention or downtime.
OCI Registry Integration
Store and consume TUF metadata directly in OCI registries alongside artifacts to preserve artifact-trust binding.
This issue is to propose integrating The Update Framework (TUF)(https://theupdateframework.io/) into Notary Project as an optional mechanism for securely distributing and updating trust metadata—such as signing certificate authorities (CAs), trusted public keys, revocation lists, etc. TUF integration will provide users with robust, automated, and scalable trust management—critical for secure software supply chains. This aligns with Notary Project’s vision to standardize and secure artifact signing across ecosystems.
We could consider the following scope:
Benefits
User Scenarios
Enterprise/Private Environments
Host internal TUF repositories for secure distribution of org-wide signing certs, keys, and verification policies.
Key Rotation & Revocation
Use TUF to safely roll new keys/certs into Notation trust policy without manual intervention or downtime.
OCI Registry Integration
Store and consume TUF metadata directly in OCI registries alongside artifacts to preserve artifact-trust binding.