Description
As mentioned in the README, cosign can be used to store TUF metadata on a registry. This TUF metadata can secure the tag to digest relationships on the registry, define trust delegations, and provide compromise resilience in the case of a registry or infrastructure compromise. It would be nice to get a working prototype of this integration, possibly leveraging existing TUF implementations such as go-tuf.
As I envision it, a TUF/cosign integration would involve:
[x] Storing TUF metadata on a registry using cosign
[] Ensuring easy querying of that TUF metadata by users, ideally using a human-readable name
In the future, this could lead to more sigstore integration, for example:
[] Allowing TUF targets metadata to delegate to a fulcio identity
[] Supporting TUF root key discovery through a threshold of fulcio servers
[] Publishing TUF metadata to rekor for an immutable history