Sigstore bundle support

Question

Sigstore bundle support

woodruffw opened this issue a year ago · 7 comments

Description

As identified in #274: this client should support the bundle format defined in protobuf-specs for both signing and verification!

This will also unblock integration with the conformance suite, which tests for bundle support.

It looks like https://docs.rs/protobuf/latest/protobuf/ is the most mature protobuf library for Rust, so we'll probably want to go with that.

Answer 1 · 2023-06-20T14:27:30.000Z

CC @jleightcap

Answer 2 · 2023-06-20T15:26:52.000Z

This may be blocked on #83 -- @lkatalin or @lukehinds might have some more details 🙂

Answer 3 · 2023-06-27T05:57:27.000Z

@woodruffw I don't think there is anything more to update since that was raised. It should not be hard to implement though (verify locally). I am absolutely slammed out with other stuff at the moment, not sure if @lkatalin has any cycles to take this on. I will add it to my tracking notes though as getting sigstore-rs protobuf aligned would be definite a step forwards.

Answer 4 · 2023-06-27T17:04:20.000Z

Okay, thanks for the update @lukehinds! I've asked @jleightcap to take a look at this.

Answer 5 · 2023-06-27T17:59:49.000Z

Thanks, now in progress -- I'll add comments/questions to this issue as I get further.

Answer 6 · 2023-09-11T18:34:02.000Z

CC @tnytown

Answer 7 · 2023-09-27T18:53:36.000Z

As part of this work, I took another look at the client's certificate validation logic. It looks like both webpki and picky were considered for validation as part of #32, but webpki was dropped as it didn't support checking EKUs against custom non-TLS profiles at the time. Now that rustls/webpki has implemented a new verify_is_valid_cert, I'll refactor the validation logic with webpki.