Bob Callaway
Bob Callaway
I was able to reproduce it now and see the issue.
@cpanato I think you were doing this previously, but I don't see them either for the last release?
we should at least provide updates to docs that help people verify our release artifacts, so I think a doc change is all that's needed here. On Wed, Oct 26,...
> Right now, Rekor signs the representation of the Rekor entry as-provided. Most Rekor entries are JSON, so there's no canonical encoding. That is incorrect, rekor canonicalizes the entry before...
The type specific code does call `json.Marshall`, but is wrapped by this call: https://github.com/sigstore/rekor/blob/05d92d3c8e306a6032a56742a42127a82a1d0773/pkg/types/entries.go#L151 which uses github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer
There are many other canonicalization topics to consider, including PKI artifacts (DER vs PEM encoding), PGP binary VS armored keys, etc.
Simplifying the input and output formats has been on my mind (triggered by much of the bundle dialog), so would love to collaborate on a doc / proto on this...
I realized that the requirement for the user to compute a hash was present in intoto:0.0.2 when researching #1164 and this is not desirable behavior, as the server should be...
Also, would appreciate @codysoyland @kommendorkapten @asraa @bdehamer feedback on this (as an example for a broader doc): In trying to resolve #1164 and #1139, we'll need to add another version...
> Maybe, and consider a scenario where the envelope has multiple signatures, but the client only have access to one key. In this scenario, the client would not be able...