Request to support non-identity based cert as verifier #1318
Labels
enhancement
New feature or request
Comments
|
I might suggest to align with future changes to the Cosign UI and other sigstore libraries, rather than taking in a certificate chain which contains a root & some number of intermediates, take in each of those as separate options. openssl has an example of such, that a root is referred to as "trusted" CA certificates, and intermediates are "untrusted" or chain building CA certificates. In sigstore/cosign#3464, this proposes using The benefit of this is that the caller is not responsible for constructing the valid chain, the library is. And if you have a more complex PKI, for example multiple intermediates issued by a root, you don't need to provide multiple chains. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Based on clusterImagePolicy API, it has options to accept key, keyless authority. Can we also support non-identity based cert as verifier to verify signatures, such as https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/verify/verify.go#L239-L268
The text was updated successfully, but these errors were encountered: