iamsamirzon
commented
2 years ago Question : Should Notation allow use of standard trust stores available on operating systems
Closed iamsamirzon closed 2 years ago
iamsamirzon
commented
2 years ago Question : Should Notation allow use of standard trust stores available on operating systems
priteshbandi
commented
2 years ago PR for workflow: https://github.com/notaryproject/notaryproject/pull/122
Question: Should Notation allow the use of standard trust stores available on operating systems
IMO the better approach would be to have a list of publicly trusted codesigning certificates and allow the user to use that. If required we can add support for trusting codesigning certificates in OS trust store.
iamsamirzon
commented
2 years ago This related PR for public signature is part of the signature verification process. https://github.com/notaryproject/notaryproject/pull/132
This above PR can be closed independently in the notraryproject as a standalone item. It is not a blocker for closing this roadmap item.
iamsamirzon
commented
2 years ago @SteveLasker - This is ready to be closed now that https://github.com/notaryproject/notaryproject/pull/122 is merged.
Summary Cover the Trust Store and Trust Policy usage Intended Outcome The specfication PR is merged Additional context This is in baseline implementation for alpha release, but need to ensure specfication is well defined. Should support verifying any registry artifact like SBOM and vulnerebility scan results