-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document bundle verification #11
Labels
enhancement
New feature or request
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
There is currently no real documentation on how to verify a bundle. There are some drafts like this: https://github.com/kommendorkapten/cosign/blob/bundle_verification/specs/dotsigstore_bundle/verify.md
Also the bundle format alone leaves some things underspecified. Such as hash and signature algorithm used by the transparency log, that has to be documented. This is now captured in the bundle verification interface, and also called out in this issue: #7, but should be properly documented.
During SigstoreCon there was a lot of discussion on this, the general idea was a layered approach:
The primary reason for first filtering the trust root and then running the verification logic is that code with this layout is easier to write and test, as each stage has specific purpose. The verification code should be as simple as possible, with minimal dependencies and possible choices.
Where should the such documentation live? In this repository, the architecture-docs? Separate document or part of the client spec?
cc @znewman01 @asraa @joshuagl @vaikas who was present during the discussions.
The text was updated successfully, but these errors were encountered: