rekor icon indicating copy to clipboard operation
rekor copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Add direct server support for attached signature formats

Open dlorenc opened this issue 4 years ago • 2 comments

cc @puiterwijk

This could include things like

  • RPMs which bundle signatures into a special header
  • Maven artifacts
  • The Windows PE file format
  • ELF xattrs

dlorenc avatar Jan 12 '21 14:01 dlorenc

For something like an RPM, I think this would consist of changing the API to allow specifying an RPM file (URL or raw) and public key. The server would then understand how to unpack that RPM to extract the signature bits, and then to verify against the public key.

dlorenc avatar Jan 12 '21 14:01 dlorenc

What are the thoughts on adding support for the CLI to introspect file type and create a Rekord type entry for a wider set of artifacts?

I created the server support for RPMs in #130 but also wondering if we could/should do some of this in the CLI as well (through something like https://github.com/sassoftware/relic)?

bobcallaway avatar Feb 01 '21 16:02 bobcallaway

Closing since this was added for RPMs/JARs/Alpine images

haydentherapper avatar Jan 03 '23 04:01 haydentherapper