sigstore-python
sigstore-python copied to clipboard
sigstore
Support other signature and hash types
We have some hardcoded assumptions that we're using ECDSA keys with SHA256 hashes to generate signatures. Fulcio supports other signing and hashing algorithms so we should allow them too. For example, the staging instance is currently using an RSA CTFE key for signing.
Fulcio supports other signing and hashing algorithms so we should allow them too.
Yep. I'll double-check this, but I think the parameters we specifically need to support are:
- RSA (>= 2048-bit only) + SHA256
- ECDSA + SHA256
It might make sense to support other hash algorithms as well, but I believe Fulcio only uses SHA256 at the moment.
Fulcio supports other signing and hashing algorithms so we should allow them too.
Yep. I'll double-check this, but I think the parameters we specifically need to support are:
- RSA (>= 2048-bit only) + SHA256
- ECDSA + SHA256
It might make sense to support other hash algorithms as well, but I believe Fulcio only uses SHA256 at the moment.
You're probably right. I was just looking at the IETF spec and saw that the enumerations have lots of different values, but I didn't check that Fulcio supports them all.
Let's prioritize this after embedded SCT support (#30); that PR will probably be over-restrictive, which is fine for now.
@woodruffw Sorry, I linked this issue to #84. From your comment, sounds like there's still more to do here.
I can take a look at it tomorrow. What did you have in mind?
No problem. Yeah, I think the only thing left to do here is to relax some of the checks in #84. But they're not currently impacting any active instances (that we know of), so I think we can hold off here until the cryptography release lands.