cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Lightweight verification library/module

Open dlorenc opened this issue 3 years ago • 6 comments

This came up in the context of OPA in slack - they'd like to provide a builtin for verifying signatures, which would ideally depend only on the Go stdlib. Cosign today links in a bunch of dependencies on things like cloud KMS signers and even the OCI registry clients. We should figure out a way to provide a lightweight library with NO dependencies that can validate signatures. This would require that the user pre-fetch all the signature information (including any kind of trust bundle) and provides the trust roots to validate against (public keys and certificates).

dlorenc avatar Aug 11 '21 14:08 dlorenc

cc @dekkagaijin @srenatus

Jake - any ideas if this should go here or into sigstore/sigstore? Or do we need a new "verify only" module somewhere? I forget how aggressively go mod will prune transitive deps...

dlorenc avatar Aug 11 '21 14:08 dlorenc

do we need a new "verify only" module somewhere? I forget how aggressively go mod will prune transitive deps...

AFAIK having such a package within this module should be fine.

srenatus avatar Aug 11 '21 15:08 srenatus

How can we get involved in it with @Dentrax because we are really really interesting with this topic 🤩

developer-guy avatar Aug 11 '21 19:08 developer-guy

How can we get involved in it with @Dentrax because we are really really interesting with this topic 🤩

Go for it! I'm not sure how much refactoring would be needed, but the idea is just some kind of package that can do as much verification as possible using only the stdlib!

dlorenc avatar Aug 11 '21 19:08 dlorenc

Would be great if it could become a full-fledged light-weight verification binary. We also noticed that cosign has a significant size, especially when used in a container setting.

xopham avatar Aug 23 '21 14:08 xopham

I am interested in this as well. Has any work been done on how to carve this out? Where should one begin? I am considering adding validation of Crossplane Packages signed with cosign to the Crossplane project. See: https://github.com/crossplane/crossplane/issues/3048

jessesanford avatar Apr 19 '22 15:04 jessesanford

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Sep 16 '22 02:09 github-actions[bot]

This issue was closed because it has been stalled for 5 days with no activity.

github-actions[bot] avatar Sep 21 '22 02:09 github-actions[bot]