search

SURFscz / SRAM-deploy

Deploy scripts for the SCZ
Apache License 2.0
5 stars 5 forks source link

Pyff should be able to verify metadata signatures using a CA #455

Closed baszoetekouw closed 10 months ago

baszoetekouw commented 1 year ago

When verifying metadata files, Pyff need the exact signing certificate. Add an option so Pyff can also verify the metdata signature based on a CA.

So: CA has signed metadata key and metadata is signed by metadata key, but Pyff only trusts CA and should build a trust chain for the metadata signature.

mrvanes commented 1 year ago

https://github.com/IdentityPython/pyXMLSecurity/pull/74

baszoetekouw commented 10 months ago

Works. Fixed in ec08c52982761f151eb77a004658369ac6381367 and https://gitlab.surf.nl/sram/sram-deploy-aws/-/commit/1413587bc983b0138880df02ced49d610d78ea5a