Support for verification/attestation of the state of a repo before gittuf is applied

[patzielinski]

Add a description

Currently, no claims are made about the state of a repository before gittuf was applied. It might be worth looking into how we can support some claim as to the state of the repository pre-gittuf.

Relevant log output if the discussion pertains to existing gittuf functionality

No response

Code of Conduct

• [x] I agree to follow this project's Code of Conduct

[stiankri-telenor]

I think this functionality could be useful in several settings:

1. Onramp before starting to record state in a repo
2. Verify external contributions before recording it in the RSL
3. Verify repos outside the control of the verifier (that use Git signatures but not gittuf)

The simplest approach is to verify the signatures against a set of trusted keys. To do better than this, against metadata attacks, we need rules about the expected structure (e.g. require merge commits) and state (known commits and refs). There should be a way to establish trust in keys outside the repository. The same mechanism could be used to set rules and to communicate trusted commits/refs. It might be worth it to have less assurance in order to keep things simple.

Further information on how we are approaching this for gitverify: config, threat model.