Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document bundle verification #11

Open
kommendorkapten opened this issue Nov 8, 2022 · 1 comment
Open

Document bundle verification #11

kommendorkapten opened this issue Nov 8, 2022 · 1 comment
Labels
enhancement New feature or request

Comments

@kommendorkapten
Copy link
Member

Description

There is currently no real documentation on how to verify a bundle. There are some drafts like this: https://github.com/kommendorkapten/cosign/blob/bundle_verification/specs/dotsigstore_bundle/verify.md

Also the bundle format alone leaves some things underspecified. Such as hash and signature algorithm used by the transparency log, that has to be documented. This is now captured in the bundle verification interface, and also called out in this issue: #7, but should be properly documented.

During SigstoreCon there was a lot of discussion on this, the general idea was a layered approach:

  • The process has a global trust root
  • During artifact verification a few steps happen
    1. Based on artifact/policy a subset/filtered of the trust root is selected
    2. The real verification function is executed with the filtered trust root and artifact as input

The primary reason for first filtering the trust root and then running the verification logic is that code with this layout is easier to write and test, as each stage has specific purpose. The verification code should be as simple as possible, with minimal dependencies and possible choices.

Where should the such documentation live? In this repository, the architecture-docs? Separate document or part of the client spec?

cc @znewman01 @asraa @joshuagl @vaikas who was present during the discussions.

@kommendorkapten kommendorkapten added the enhancement New feature or request label Nov 8, 2022
@znewman01
Copy link
Contributor

I prefer putting this in the Spec: Sigstore Client doc (join [email protected] for access).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants