cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Sign with a passkey signature

Open gedw99 opened this issue 1 year ago • 1 comments

Question

I use passkeys to identify orgs and users when they sign in to a golang system that I am working on .

the system produces artifacts into their GitHub or other git servers . These are binaries , WASM , text files.

I plan to produce an SBOM of these artefacts also as an artefact.

Others users can then use those artefacts at runtime in the system.

so I was wondering about using the passkey signature to sign their artefacts.

WASM is the main thing that is run by third parties , because it gives a measure of security ssndboxing . But the binaries also .

I plan to team this up with fish food , which is a golang package distribution system and make it real time with a pub sub overlay system.

https://github.com/tinned-fish/gofish

the core binaries that run the passkeys would need to be motorised by Apple and Microsoft in order for them to run on devs and users systems. I was thinking of doing Notorisstion and then co-signing in a 2 steps process . But have no idea if this is workable .

would appreciate feedback :)

gedw99 avatar Aug 15 '24 10:08 gedw99