policy-controller icon indicating copy to clipboard operation
policy-controller copied to clipboard
verified publisher icon sigstore

Request to support non-identity based cert as verifier

Open karaguo opened this issue 1 year ago • 1 comments

Description

Based on clusterImagePolicy API, it has options to accept key, keyless authority. Can we also support non-identity based cert as verifier to verify signatures, such as https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/verify/verify.go#L239-L268

karaguo avatar Mar 19 '24 19:03 karaguo

I might suggest to align with future changes to the Cosign UI and other sigstore libraries, rather than taking in a certificate chain which contains a root & some number of intermediates, take in each of those as separate options. openssl has an example of such, that a root is referred to as "trusted" CA certificates, and intermediates are "untrusted" or chain building CA certificates. In https://github.com/sigstore/cosign/pull/3464, this proposes using ca-roots and ca-intermediates, which I think is fine nomenclature.

The benefit of this is that the caller is not responsible for constructing the valid chain, the library is. And if you have a more complex PKI, for example multiple intermediates issued by a root, you don't need to provide multiple chains.

Hayden-IO avatar Mar 20 '24 22:03 Hayden-IO