You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We, being the sigstore-go maintainers, have released a new version of sigstore-go with support for signing artifacts. We've been looking for good candidates in the ecosystem to try out sigstore-go, and I think gitsign would be a perfect choice. You're using Cosign's API currently for blob signing and not container signing, which means you should be able to migrate over to sigstore-go without any loss of functionality and a gain of fewer dependencies and a much cleaner API.
The main changes to note, beyond the API, are:
The usage of a new TUF client that uses a trust root bundle to fetch roots of trust. This also simplifies support for private Sigstore instances, which can provide trust root material via a single file rather than needing a TUF environment or setting multiple environment variables
Support for the new bundle format for verification material (cert and proof) and signature.
Provide the identity token and artifact to sigstore-go's signing API, output a bundle, and transform the bundle into the PKCS7 structure you store in the commit
You can let the signing API handle uploading to Rekor and fetching a cert from Fulcio, the API just needs an identity token
All verification can be replaced with sigstore-go's verification API, with the bundle as input (see 1 and 2)
You'd also need to decide if and how to support previously generated signatures/verification material. For verification, one suggestion would be to merge the "detached" verification material into a bundle that the sigstore-go API accepts, like what we're going to be doing in Cosign to output bundles - https://github.com/sigstore/cosign/pull/3752/files#diff-ed22d84833d1dbf7ab58a443e2105ce4769e2db0761f4d1c403ebc879957a3e1. I think this is no different than what you're already doing, switching between PKCS7 and Cosign structs.
If you wanna tackle this, let us know if you need any pointers!
The text was updated successfully, but these errors were encountered:
We, being the sigstore-go maintainers, have released a new version of sigstore-go with support for signing artifacts. We've been looking for good candidates in the ecosystem to try out sigstore-go, and I think gitsign would be a perfect choice. You're using Cosign's API currently for blob signing and not container signing, which means you should be able to migrate over to sigstore-go without any loss of functionality and a gain of fewer dependencies and a much cleaner API.
The main changes to note, beyond the API, are:
Here is an example of how to use the API to sign - https://github.com/sigstore/sigstore-go/blob/main/examples/sigstore-go-signing/main.go - and to verify - https://github.com/sigstore/sigstore-go/blob/main/cmd/sigstore-go/main.go.
If you were to make this change, at a glance over the code, you would roughly need to:
You'd also need to decide if and how to support previously generated signatures/verification material. For verification, one suggestion would be to merge the "detached" verification material into a bundle that the sigstore-go API accepts, like what we're going to be doing in Cosign to output bundles - https://github.com/sigstore/cosign/pull/3752/files#diff-ed22d84833d1dbf7ab58a443e2105ce4769e2db0761f4d1c403ebc879957a3e1. I think this is no different than what you're already doing, switching between PKCS7 and Cosign structs.
If you wanna tackle this, let us know if you need any pointers!
The text was updated successfully, but these errors were encountered: