-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chore: Refactor how we handle verification materials #250
Comments
One thought: a top-level def verify(bundle: VerificationBundle, options: VerificationOptions) -> VerificationResult ...where |
More thinking out loud: |
Was a verification bundle schema already discussed somewhere? I would be interested in taking up this issue if it has no assignee yet. |
@mayaCostantini Yes, here: sigstore/cosign#2131 |
Additionally, the protobuf definition for the bundle is being developed here: https://github.com/sigstore/protobuf-specs |
I'm currently working on this refactor in |
@di @woodruffw Thank you for the info, I will look into it soon 👍 |
Working on this in #299. |
Conceptually, there are three mandatory pieces of sigstore verification material, and one optional piece:
str
)bytes
, orstr
if base64-encoded)str
)RekorBundle
orRekorEntry
in Offline Rekor bundle generation and verification #247)Right now, the
verify
API takes these as independent parameters, along with some other options (which will grow over time, as we support different configurations and verification policies):This is going to become unwieldly, so we should probably rethink the top-level API here.
Related:
The text was updated successfully, but these errors were encountered: