sigstore-python icon indicating copy to clipboard operation
sigstore-python copied to clipboard
verified publisher icon sigstore

CLI: Verification should support complex policies via a policy file input

Open woodruffw opened this issue 2 years ago • 2 comments

This issue has a few blockers, including coordination with the broader Sigstore community on a machine-readable policy format.

Key components:

  • The sigstore verify subcommands should take a --policy <FILE> or similar option, which would read in the policy file to use during verification.
  • ...or there would be a separate sigstore verify policy subcommand, since sigstore verify identity and sigstore verify github already imply basic policies.

CC @di for visibility.

woodruffw avatar Apr 24 '23 19:04 woodruffw

Would it be worthwhile creating a verification policy in protobuf-specs? We can start relatively barebones, something like:

  • List of tuple of (identity, issuer)
  • Issuer could have aliases for common issuers
  • Syntax for CI identities, pulling from https://github.com/sigstore/cosign/issues/2691
  • No regular expressions would be my preference

Hayden-IO avatar May 30 '23 21:05 Hayden-IO

cc @jku

Hayden-IO avatar May 30 '23 21:05 Hayden-IO