sign, verify: add TODOs for SCT verification

Signed-off-by: Andrew Pan <andrew.pan@trailofbits.com>
sigstore · Feb 16, 2024 · 752f87f · 752f87f
1 parent 68fea4a
commit 752f87f
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/src/sign.rs b/src/sign.rs
@@ -128,6 +128,8 @@ impl<'ctx> AsyncSigningSession<'ctx> {
             return Err(SigstoreError::ExpiredSigningSession());
         }
 
+        // TODO(tnytown): verify SCT here, sigstore-rs#326
+
         // Sign artifact.
         let input_hash: &[u8] = &hasher.clone().finalize();
         let mut signature_bytes = Vec::new();

diff --git a/src/verify/verifier.rs b/src/verify/verifier.rs
@@ -103,6 +103,8 @@ impl<'a, R: Repository> Verifier<'a, R> {
 
         debug!("signing certificate chains back to trusted root");
 
+        // TODO(tnytown): verify SCT here, sigstore-rs#326
+
         // 2) Verify that the signing certificate belongs to the signer.
         if let Some(err) = policy.verify(&materials.certificate) {
             return Err(err)?;