ec sigstore initialize

Initializes Sigstore root to retrieve trusted certificate and key targets for verification.

The following options are used by default: - The current trusted Sigstore TUF root is embedded inside ec at the time of release. - Sigstore remote TUF repository is pulled from the CDN mirror at tuf-repo-cdn.sigstore.dev.

To provide an out-of-band trusted initial root.json, use the --root flag with a file or URL reference. This will enable you to point ec to a separate TUF root.

Any updated TUF repository will be written to $HOME/.sigstore/root/.

Trusted keys and certificate used in ec verification (e.g. verifying Fulcio issued certificates with Fulcio root CA) are pulled form the trusted metadata.

This command is mostly a wrapper around "cosign initialize".

ec initialize -mirror <url> -out <file>

Initialize root with distributed root keys, default mirror, and default out path. ec initialize

Initialize with an out-of-band root key file, using the default mirror. ec initialize -root <url>

Initialize with an out-of-band root key file and custom repository mirror. ec initialize -mirror <url> -root <url>