-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request to support non-identity based cert as verifier #1318
Comments
I might suggest to align with future changes to the Cosign UI and other sigstore libraries, rather than taking in a certificate chain which contains a root & some number of intermediates, take in each of those as separate options. openssl has an example of such, that a root is referred to as "trusted" CA certificates, and intermediates are "untrusted" or chain building CA certificates. In sigstore/cosign#3464, this proposes using The benefit of this is that the caller is not responsible for constructing the valid chain, the library is. And if you have a more complex PKI, for example multiple intermediates issued by a root, you don't need to provide multiple chains. |
Description
Based on clusterImagePolicy API, it has options to accept key, keyless authority. Can we also support non-identity based cert as verifier to verify signatures, such as https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/verify/verify.go#L239-L268
The text was updated successfully, but these errors were encountered: