sigstore-rs icon indicating copy to clipboard operation
sigstore-rs copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Signed Certificate Timestamp verification

Open tnytown opened this issue 1 year ago • 4 comments

~~Blocked on #311.~~

Summary

Adds Signed Certificate Timestamp verification and hooks it up to the bundle signing flow. SCT verification ensures that the signing certificate in a given operation has been submitted to the Certificate Transparency log, which aids in the detection of malicious certificates and keeps Certificate Authorities like Fulcio honest.

Release Note

  • Implemented Signed Certificate Timestamp validation for certificates used in Sigstore Bundle operations.

Documentation

No user-facing documentation needed, we automatically perform SCT validation when public sign and verify APIs are used.

tnytown avatar Jan 22 '24 22:01 tnytown

This is ready for review, but we should get #311 in first.

tnytown avatar Feb 28 '24 00:02 tnytown

CC @flavio, please take a look at this one after #311; ~~the pertinent changes are at https://github.com/sigstore/sigstore-rs/pull/326/commits/c9ad592d3af61df42149c06bdda0e076c346ceab~~ :)

tnytown avatar Apr 10 '24 23:04 tnytown

@tnytown is this one ready to be reviewed?

flavio avatar Apr 22 '24 12:04 flavio

is this one ready to be reviewed?

Yes, thanks for the ping @flavio!

tnytown avatar Apr 23 '24 03:04 tnytown