Check validity of applicable TP and TS before fetching signatures from registry.

[priteshbandi]

Context: https://github.com/notaryproject/notation/pull/771#issuecomment-1731705600 Currently signature verification process in Notation, involves fetching the signature and subsequently validating the trust store's vakidity. However, this method has the following concerns:

1. The error messages provided to users in case of verification failure are not very user-friendly. (Refer to the link above for examples)
2. If either the Trust Store (TS) or Trust Policy (TP) is malformed, signature validation will always fail. This renders the fetching and validation of signatures unnecessary. Essentially, we're advocating for fast fail.

Ambiguous Specification Presently, there exists specifications that introduces a conflicting requirement. In one instance, we state that before commencing signature verification, both the TS and TP should be valid, while in other, this is not explicitly emphasized.

• https://github.com/notaryproject/specifications/blob/v1.0.0/specs/trust-store-trust-policy.md#signature-verification
• https://github.com/notaryproject/specifications/blob/v1.0.0/specs/signing-and-verification-workflow.md#verification-prerequisites

Recommended Solution

1. Amend the specification to state: "User has configured a valid trust store and trust policy."
2. Make a code change to validate the relevant TS and TP before obtaining the signature. Here, 'relevant' refers to the TP and TS identified for a specific scope.

[github-actions[bot]]

This issue is stale because it has been opened for 60 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days.