Supply Chain Security Store - Policy Known Issues

TUF key is not valid


Installation of Policy Controller v1.1.2 fails with the following error message:

panic: Failed to initialize TUF client from  : updating local metadata and targets:
error updating to TUF remote mirror: tuf: invalid key

Policy Controller tries to initialize TUF keys during installation. The initialization fails because of a breaking change in go-tuf when using the Official Sigstore TUF root. See go-tuf in GitHub.


Policy Controller v1.1.3 contains a fix with the updated go-tuf.


One workaround is to exclude Policy Controller during installation. Another workaround is to use a self-deployed Sigstore Stack.

  • Option 1: Exclude the Policy Controller package in all profile installations by adding Policy Controller to the excluded_packages list in tap-values.yaml. Example:

    profile: PROFILE-VALUE
  • Option 2: Install Sigstore Stack and use the generated TUF system as the mirror and root of Policy Controller. For more information, see Install Sigstore Stack.

check-circle-line exclamation-circle-line close-line
Scroll to top icon