Root of Trust

The root of trust is the set of users ultimately trusted in gittuf. In addition to encoding the users that compose the root of trust, the root metadata contains information on the repository, as well as global rules.

Configuration

In most cases, the root of trust is a part of gittuf metadata that is largely “set it and forget it”. You only need to modify the root of trust metadata when you are changing:

  • the users that make up the root of trust
  • the policy administrators
  • repository information (e.g. canonical location, etc…)
  • global rules

It is imperative that the root of trust users safeguard and DO NOT lose their signing keys. If there are insufficient root of trust users to make changes (e.g. the threshold is three but only two users have access to their keys), then it will be impossible to recover gittuf metadata, and you will need to reset gittuf.

Next: Initializing the Root of Trust

Let’s start by initializating gittuf’s root of trust in Initialization.

Table of contents

Copyright © 2025 gittuf a Series of LF Projects, LLC. For web site terms of use, trademark policy and other project policies please see https://lfprojects.org/.
This site uses Just the Docs, a documentation theme for Jekyll.