Closed adityasaky closed 1 week ago
cc @patzielinski @flandweber @neilnaveen
This makes much more sense since the verify commit cannot assure us that the ref is correctly verified, and the tags themselves are just special refs. We would have to add some code into verify-ref to handle tags for everything to work smoothly, or would we only want the basic verification we get from verify-ref? Thoughts?
I agree. I believe the most important benefit of this change is that it makes gittuf simpler to use.
This makes much more sense since the verify commit cannot assure us that the ref is correctly verified, and the tags themselves are just special refs. We would have to add some code into verify-ref to handle tags for everything to work smoothly, or would we only want the basic verification we get from verify-ref? Thoughts?
We already handle tags separately via verifyTagEntry, so I think we're covered actually. I also have a change (ab1fa83bc406a4394217f0047f699e6292f3a933) coming that updates verifyTagEntry to use the verifier
bits to enable attestations.
These workflows have some shortcomings, as discussed in https://github.com/gittuf/gittuf/issues/384#issuecomment-2099153472.
verify-commit doesn't currently do enough to ensure the right policy is identified for when a commit is first introduced. verify-ref, with some enhancements, is better.
verify-tag implements a subset of verify-ref already because it recognizes tags are refs. Thus, verify-ref is again a better option.
Note: this makes #431 a bit cleaner.