-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Include skipped signatures in VerificationResult #48
Comments
We might also want to split out parsing errors from verification errors. For example, for timestamp verification, we will skip a timestamp either if it is an invalid RFC3161 structure or if verification fails. |
Addresses sigstore#48. Instead of just ignoring the signatures the trust bundle couldn't verify, we want to pass this information back to the caller. To avoid API changes, in order to detect the unsinged entries, for each signature type, we loop through all available signatures and mark the ones the weren't verified. Signed-off-by: Gustavo Rangel <gustavorangel91@gmail.com>
At the sigstore-go meeting, we discussed that |
I had a related experience and asked a question on Slack:
@haydentherapper responded there:
|
Description
#47 and #45 introduce skipping log and TSA signatures respectively that the trust bundle cannot verify. This information is not passed back to the verifier, the signatures are just silently skipped over.
We can update VerificationResults to pass this information back, which could be helpful for debugging that the bundle contains the expected trust root material.
The text was updated successfully, but these errors were encountered: