Align with NordLEI file signing

2byrds commented 3 months ago

@lenkan will work with us to align with their signing format

2byrds commented 3 weeks ago

Some notes from a recent round of testing @aydarng:

Avoiding text related issues for files across windows and linux we should sign the binary of the files (not the text encoding). The server has been updated to do that.
reg-pilot file signing and verification confirms how to do this using signify-ts (likely what NordLEI is already doing).

lenkan commented 3 weeks ago

Thanks for providing the example code. I used this as the reference: https://github.com/GLEIF-IT/reg-pilot/blob/69121800e693a300477e8eaa3966e4333f7817d9/signify-ts-test/test/report.test.ts#L288-L294

The difference between that implementation and our implementation is that we are creating a SHA-256 digest of the raw file first, then we are signing the digest. The reason for that is to avoid sending the entire files from web app to extension. From my understanding, we cannot and should not send too large messages over the IPC channel.

2byrds commented 2 weeks ago

Per https://github.com/GLEIF-IT/reg-pilot/discussions/41 we will expect/validate SHA-256 prefixed digests through the api/verifier: https://github.com/GLEIF-IT/reg-pilot-api/issues/23 https://github.com/GLEIF-IT/vlei-verifier/issues/25

GLEIF-IT / vlei-verifier

Align with NordLEI file signing #10