sigstore-python icon indicating copy to clipboard operation
sigstore-python copied to clipboard
verified publisher icon sigstore

Support generating offline Rekor bundles

Open di opened this issue 3 years ago • 1 comments

Description

Similar to cosign's --bundle flag, we should support generating offline Rekor bundles as well:

E.g. from cosign:

--bundle string         write everything required to verify the blob to a FILE

This is likely a logical first step before #52.

di avatar Sep 06 '22 19:09 di

Just adding some context or comments or lessons learned from cosign:

There's a proposal for a more specified bundle: https://github.com/sigstore/cosign/issues/2131. Depending on your timeline of course, you may just want to use a basic copy of the Rekor bundle, without relying on this issues resolution.

Note that the cosign current --bundle output has something of the format:

{
  "base64Signature": "...",
  "cert": "...",
  "rekorBundle": { ... }
}

When using the cosign CLI, it's hairy to use the base64Signature in favor of the signature potentially given in the CLI argument --signature. Likewise, definitely use diligence to make sure that rekorBundle actually applies to the artifact that it's intended to verify!

asraa avatar Sep 08 '22 16:09 asraa