diff --git a/go.mod b/go.mod
index bb5ac495d..61eb914ee 100644
--- a/go.mod
+++ b/go.mod
@@ -34,7 +34,7 @@ require (
 	github.com/sigstore/fulcio v1.6.5
 	github.com/sigstore/rekor v1.3.8
 	github.com/sigstore/sigstore v1.8.12
-	github.com/sigstore/sigstore-go v0.6.2
+	github.com/sigstore/sigstore-go v0.7.0
 	github.com/sigstore/timestamp-authority v1.2.4
 	github.com/stretchr/testify v1.10.0
 	github.com/theupdateframework/go-tuf v0.7.0
@@ -258,7 +258,7 @@ require (
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
 	github.com/thales-e-security/pool v0.0.2 // indirect
-	github.com/theupdateframework/go-tuf/v2 v2.0.1 // indirect
+	github.com/theupdateframework/go-tuf/v2 v2.0.2 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect
diff --git a/go.sum b/go.sum
index f065a4287..009426854 100644
--- a/go.sum
+++ b/go.sum
@@ -1489,8 +1489,8 @@ github.com/sigstore/rekor v1.3.8 h1:B8kJI8mpSIXova4Jxa6vXdJyysRxFGsEsLKBDl0rRjA=
 github.com/sigstore/rekor v1.3.8/go.mod h1:/dHFYKSuxEygfDRnEwyJ+ZD6qoVYNXQdi1mJrKvKWsI=
 github.com/sigstore/sigstore v1.8.12 h1:S8xMVZbE2z9ZBuQUEG737pxdLjnbOIcFi5v9UFfkJFc=
 github.com/sigstore/sigstore v1.8.12/go.mod h1:+PYQAa8rfw0QdPpBcT+Gl3egKD9c+TUgAlF12H3Nmjo=
-github.com/sigstore/sigstore-go v0.6.2 h1:8uiywjt73vzfrGfWYVwVsiB1E1Qmwmpgr1kVpl4fs6A=
-github.com/sigstore/sigstore-go v0.6.2/go.mod h1:pOIUH7Jx+ctwMICo+2zNrViOJJN5sGaQgwX4yAVJkA0=
+github.com/sigstore/sigstore-go v0.7.0 h1:bIGPc2IbnbxnzlqQcKlh1o96bxVJ4yRElpP1gHrOH48=
+github.com/sigstore/sigstore-go v0.7.0/go.mod h1:4RrCK+i+jhx7lyOG2Vgef0/kFLbKlDI1hrioUYvkxxA=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.12 h1:EC3UmIaa7nV9sCgSpVevmvgvTYTkMqyrRbj5ojPp7tE=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.12/go.mod h1:aw60vs3crnQdM/DYH+yF2P0MVKtItwAX34nuaMrY7Lk=
 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.12 h1:FPpliDTywSy0woLHMAdmTSZ5IS/lVBZ0dY0I+2HmnSY=
@@ -1564,8 +1564,8 @@ github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gt
 github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU=
 github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI=
 github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
-github.com/theupdateframework/go-tuf/v2 v2.0.1 h1:11p9tXpq10KQEujxjcIjDSivMKCMLguls7erXHZnxJQ=
-github.com/theupdateframework/go-tuf/v2 v2.0.1/go.mod h1:baB22nBHeHBCeuGZcIlctNq4P61PcOdyARlplg5xmLA=
+github.com/theupdateframework/go-tuf/v2 v2.0.2 h1:PyNnjV9BJNzN1ZE6BcWK+5JbF+if370jjzO84SS+Ebo=
+github.com/theupdateframework/go-tuf/v2 v2.0.2/go.mod h1:baB22nBHeHBCeuGZcIlctNq4P61PcOdyARlplg5xmLA=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
 github.com/tjfoc/gmsm v1.3.2/go.mod h1:HaUcFuY0auTiaHB9MHFGCPx5IaLhTUd2atbCFBQXn9w=
diff --git a/pkg/repo/repo.go b/pkg/repo/repo.go
index f0f2a5131..f374b565b 100644
--- a/pkg/repo/repo.go
+++ b/pkg/repo/repo.go
@@ -252,17 +252,17 @@ func constructTrustedRoot(targets []TargetWithMetadata) (*TargetWithMetadata, er
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse cert chain for Fulcio: %w", err)
 		}
-		fulcioAuthorities = append(fulcioAuthorities, *fulcioAuthority)
+		fulcioAuthorities = append(fulcioAuthorities, fulcioAuthority)
 	}
 
 	tsaChainPem := concatCertChain(tsaLeaf, tsaIntermed, tsaRoot)
-	tsaAuthorities := []root.CertificateAuthority{}
+	tsaAuthorities := []root.TimestampingAuthority{}
 	if len(tsaChainPem) > 0 {
-		tsaAuthority, err := certChainToCertificateAuthority(tsaChainPem)
+		tsaAuthority, err := certChainToTimestampingAuthority(tsaChainPem)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse cert chain for TSA: %w", err)
 		}
-		tsaAuthorities = append(tsaAuthorities, *tsaAuthority)
+		tsaAuthorities = append(tsaAuthorities, tsaAuthority)
 	}
 
 	tr, err := root.NewTrustedRoot(
@@ -345,10 +345,10 @@ func getKeyWithDetails(key []byte) (crypto.PublicKey, crypto.Hash, error) {
 	return k, hashFunc, nil
 }
 
-func certChainToCertificateAuthority(certChainPem []byte) (*root.CertificateAuthority, error) {
+func certChainToTimestampingAuthority(tsaChainPem []byte) (root.TimestampingAuthority, error) {
 	var cert *x509.Certificate
 	var err error
-	rest := bytes.TrimSpace(certChainPem)
+	rest := bytes.TrimSpace(tsaChainPem)
 	certChain := []*x509.Certificate{}
 
 	for len(rest) > 0 {
@@ -368,7 +368,7 @@ func certChainToCertificateAuthority(certChainPem []byte) (*root.CertificateAuth
 		return nil, fmt.Errorf("no certificates found in input")
 	}
 
-	ca := root.CertificateAuthority{}
+	ca := &root.SigstoreTimestampingAuthority{}
 
 	for i, cert := range certChain {
 		switch {
@@ -384,7 +384,47 @@ func certChainToCertificateAuthority(certChainPem []byte) (*root.CertificateAuth
 	ca.ValidityPeriodStart = certChain[0].NotBefore
 	ca.ValidityPeriodEnd = certChain[0].NotAfter
 
-	return &ca, nil
+	return ca, nil
+}
+
+func certChainToCertificateAuthority(certChainPem []byte) (root.CertificateAuthority, error) {
+	var cert *x509.Certificate
+	var err error
+	rest := bytes.TrimSpace(certChainPem)
+	certChain := []*x509.Certificate{}
+
+	for len(rest) > 0 {
+		var derCert *pem.Block
+		derCert, rest = pem.Decode(rest)
+		rest = bytes.TrimSpace(rest)
+		if derCert == nil {
+			return nil, fmt.Errorf("input is left, but it is not a certificate: %+v", rest)
+		}
+		cert, err = x509.ParseCertificate(derCert.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse certificate: %w", err)
+		}
+		certChain = append(certChain, cert)
+	}
+	if len(certChain) == 0 {
+		return nil, fmt.Errorf("no certificates found in input")
+	}
+
+	ca := &root.FulcioCertificateAuthority{}
+
+	for i, cert := range certChain {
+		switch {
+		case i < len(certChain)-1:
+			ca.Intermediates = append(ca.Intermediates, cert)
+		case i == len(certChain)-1:
+			ca.Root = cert
+		}
+	}
+
+	ca.ValidityPeriodStart = certChain[0].NotBefore
+	ca.ValidityPeriodEnd = certChain[0].NotAfter
+
+	return ca, nil
 }
 
 func concatCertChain(leaf []byte, intermediate [][]byte, root []byte) []byte {