Skip to content

Remote root fetching documentation #688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
phbnf merged 2 commits into from
Jan 30, 2026
Merged

Remote root fetching documentation #688

phbnf merged 2 commits into from
Jan 30, 2026

Conversation

@phbnf
Copy link
Collaborator

@phbnf phbnf commented Jan 29, 2026

Towards #212.

@phbnf phbnf requested a review from AlCutter January 29, 2026 16:21
@phbnf phbnf marked this pull request as ready for review January 29, 2026 16:21
@phbnf phbnf requested a review from a team as a code owner January 29, 2026 16:21
AlCutter
AlCutter approved these changes Jan 29, 2026
View reviewed changes
cmd/tesseract/aws/main.go Outdated
rootsRemoteFetchInterval = flag.Duration("roots_remote_fetch_interval", time.Duration(0), "WIP DO NOT USE - Interval between two fetches from roots_fetch_url.")
rootsPemFile = flag.String("roots_pem_file", "", "Path to the file containing root certificates that are acceptable to the log.")
rootsRemoteFetchURL = flag.String("roots_remote_fetch_url", "https://ccadb.my.salesforce-sites.com/ccadb/RootCACertificatesIncludedByRSReportCSV", "URL to fetch additional trusted roots from.")
rootsRemoteFetchInterval = flag.Duration("roots_remote_fetch_interval", time.Duration(0), "Interval between two fetches from roots_fetch_url, e.g. \"1h\".")
Copy link
Collaborator

@AlCutter AlCutter Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add something about the zero value (disables fetching?)

cmd/tesseract/README.md Outdated
Comment on lines 42 to 47
The URL of that endpoint is set via `roots_remote_fetch_url`. Roots are first
fetched at startup, and then every `roots_remote_fetch_interval`. Each time
roots are fetched from this remote endpoint, newly found roots are backed up in
the log's storage, under `roots/`. Roots are never removed from this directory.
Roots in the `roots/` directory are loaded once, at startup. This backup mechanism
ensures that the log can start with all its roots, even if the remote endpoint is down.
Copy link
Collaborator

@AlCutter AlCutter Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not clear from this whether roots fetched from the URL immediately become "trusted" for the purposes of add-chain or the binary must be restarted for them to take effect, might be worth adding a few words to make it clear that it's the former?

@phbnf phbnf merged commit 89fed1b into transparency-dev:main Jan 30, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AlCutter AlCutter AlCutter approved these changes

Assignees

@AlCutter AlCutter

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@phbnf @AlCutter