You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Today, GUAC has a Verifier interface to link a given payload to an identity. Currently, the only implementation of this interface is for Sigstore signatures.
Describe the solution you'd like
As per the description on the project page, Notary Project "is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts". While Notary Project primarily supports signing OCI images and OCI artifacts, it will soon also support signing arbitrary blobs as well. Notary Project is a CNCF Incubating project and recently announced their 1.0 release. As the Notary Project gains further adoption, GUAC should support the capability to verify Notary Project signatures.
Describe alternatives you've considered
Outside of Sigstore and Notary Project, OpenPubkey is a protocol that exists to bind identities to public keys. Recently, Docker has announced their intention to use OpenPubkey to sign Docker Official images. This should also be supported by GUAC and a separate issue should be created for this.
Additional context
While GUAC's support of identities and signature verification is in an early state, there should be some design discussion around how multiple Verifiers will work. Today, in guacone collect, only the SigstoreVerifier is registered. A user should be able to either select verifier they wish to use or GUAC should be able to guess what type of signature is being collected and use the appropriate Verifier for the given signature.
The text was updated successfully, but these errors were encountered:
I am a maintainer for CNCF Notary Project. Glad to see this proposal. It would be helpful to extend the GUAC ecosystem with more types of signatures/signing tools support in its Verifier.
Is your feature request related to a problem? Please describe.
Today, GUAC has a Verifier interface to link a given payload to an identity. Currently, the only implementation of this interface is for Sigstore signatures.
Describe the solution you'd like
As per the description on the project page, Notary Project "is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts". While Notary Project primarily supports signing OCI images and OCI artifacts, it will soon also support signing arbitrary blobs as well. Notary Project is a CNCF Incubating project and recently announced their 1.0 release. As the Notary Project gains further adoption, GUAC should support the capability to verify Notary Project signatures.
Describe alternatives you've considered
Outside of Sigstore and Notary Project, OpenPubkey is a protocol that exists to bind identities to public keys. Recently, Docker has announced their intention to use OpenPubkey to sign Docker Official images. This should also be supported by GUAC and a separate issue should be created for this.
Additional context
While GUAC's support of identities and signature verification is in an early state, there should be some design discussion around how multiple
Verifier
s will work. Today, inguacone collect
, only theSigstoreVerifier
is registered. A user should be able to either select verifier they wish to use or GUAC should be able to guess what type of signature is being collected and use the appropriateVerifier
for the given signature.The text was updated successfully, but these errors were encountered: