Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add signature for digest #30

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Add signature for digest #30

wants to merge 3 commits into from

Conversation

mnm678
Copy link
Contributor

@mnm678 mnm678 commented Jan 27, 2022

This pr prototypes adding signatures from the delegated targets metadata using the digest of the artifact.

The final version of this pr will rely on #25, so that the user can do the full workflow (delegate to a repository, upload signature to the repository), but for now it adds the signature to the top-level tuf repo.

Signed-off-by: Marina Moore <[email protected]>
Signed-off-by: Marina Moore <[email protected]>
@sudo-bmitch
Copy link
Contributor

Are there any cases where we would need to sign annotations in the descriptor from TUF, or will that always be a layer below, in the manifest that we point to?

I'm still wrapping my head around this, so I'm working through the pros and cons of signing a user provided byte array vs marshalling the json ourselves. Including additional fields in the json using a user provided byte array is a big possible factor.

@mnm678
Copy link
Contributor Author

mnm678 commented Feb 8, 2022

Are there any cases where we would need to sign annotations in the descriptor from TUF, or will that always be a layer below, in the manifest that we point to?

I'm still wrapping my head around this, so I'm working through the pros and cons of signing a user provided byte array vs marshalling the json ourselves. Including additional fields in the json using a user provided byte array is a big possible factor.

Are the annotations included in the digest? If so they are signed by this.

In general, I'd be open to instead including the full descriptor in the custom metadata. My main reason for re-building it here was simplicity, but I imagine the registry libraries have an easy way to access the descriptor. I'll look into it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants