diff --git a/Cargo.toml b/Cargo.toml
index 791e80ccff..89e2971b98 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -20,12 +20,14 @@ full-native-tls = [
   "rekor-native-tls",
   "cosign-native-tls",
   "mock-client-native-tls",
+  "sigstore-trust-root-native-tls",
 ]
 full-rustls-tls = [
   "fulcio-rustls-tls",
   "rekor-rustls-tls",
   "cosign-rustls-tls",
   "mock-client-rustls-tls",
+  "sigstore-trust-root-rustls-tls",
 ]
 
 # This features is used by tests that use docker to create a registry
@@ -51,9 +53,18 @@ sigstore-trust-root = [
   "sigstore_protobuf_specs",
   "futures-util",
   "tough",
+  "reqwest_0_11",
   "regex",
   "tokio/sync",
 ]
+sigstore-trust-root-native-tls = [
+  "reqwest_0_11/native-tls",
+  "sigstore-trust-root",
+]
+sigstore-trust-root-rustls-tls = [
+  "reqwest_0_11/rustls-tls",
+  "sigstore-trust-root",
+]
 
 cosign-native-tls = [
   "oci-distribution/native-tls",
@@ -121,6 +132,11 @@ reqwest = { version = "0.12", default-features = false, features = [
   "json",
   "multipart",
 ], optional = true }
+# We have to include this old version of reqwest because tough is currently using it.
+# By including it, we can configure which TLS backend it's going to use, otherwise fetching the
+# TUF sigstore repository will fail at runtime because the old version of reqwest
+# will be compiled withtout TLS support.
+reqwest_0_11 = { package = "reqwest", version = "0.11", default-features = false, optional = true }
 rsa = "0.9.2"
 scrypt = "0.11.0"
 serde = { version = "1.0.136", features = ["derive"] }
@@ -135,7 +151,7 @@ sigstore_protobuf_specs = { version = "0.3.2", optional = true }
 thiserror = "1.0.30"
 tokio = { version = "1.17.0", features = ["rt"] }
 tokio-util = { version = "0.7.10", features = ["io-util"] }
-tough = { version = "0.17.1", features = ["http"], optional = true }
+tough = { version = "0.18.0", features = ["http"], optional = true }
 tracing = "0.1.31"
 url = "2.2.2"
 x509-cert = { version = "0.2.5", features = ["builder", "pem", "std", "sct"] }