rekor icon indicating copy to clipboard operation
rekor copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Intoto v0.0.2

Open pxp928 opened this issue 1 year ago • 0 comments

Summary

The current implementation of the intoto type within Rekor does not persist the signatures from the wrapping DSSE envelope into the log entry stored by Trillian. This makes it impossible to independently verify the cryptographic validity of the entry without possession of the original DSSE envelope.

Based on the discussion and design doc, it was decided to create a v0.0.2 of the intoto Rekor type with changes from v0.0.1. In addition also persisting multiple public keys and signatures.

Design Doc - https://docs.google.com/document/d/17gB598uEkoxx8j9sDhrvfhuNFHW5BSsWEiMP8POn8xo/edit?resourcekey=0-1H4eG4-4-UQYIEXZgj6AKQ#heading=h.6dq5va2kfzsw

Fixes https://github.com/sigstore/rekor/issues/582

Release Note

Adds new v0.0.2 for intoto type into rekor for support of DSSE envelope with multi signature and public key

Documentation

pxp928 avatar Aug 15 '22 15:08 pxp928