Sigstore: improve docstring language

The identity/issuer in the public key are the details that we verify in the signing certificate. The OIDC identity of the authentication token may be slightly different: * because of identity federation the OIDC issuer may be sigstore.dev but the verified (federated) issuer may be github.com * in the ambient credential case the authentication token identity does not necessarily match the sertificate identity Make it clear that import_() takes the "verifying identity" details.
secure-systems-lab · Sep 1, 2023 · e7f7c89 · e7f7c89
1 parent 6b34803
commit e7f7c89
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/securesystemslib/signer/_sigstore_signer.py b/securesystemslib/signer/_sigstore_signer.py
@@ -189,8 +189,8 @@ def import_(
         key should be stored for later use.
 
         Arguments:
-            identity: The OIDC identity used to create a signing token.
-            issuer: The OIDC issuer URL used to create a signing token.
+            identity: The OIDC identity to use when verifying a signature.
+            issuer: The OIDC issuer to use when verifying a signature.
             ambient: Toggle usage of ambient credentials in returned URI.
         """
         keytype = SigstoreKey.DEFAULT_KEY_TYPE