Open mnm678 opened 2 years ago
sudo-bmitch
commented
2 years ago Are there any cases where we would need to sign annotations in the descriptor from TUF, or will that always be a layer below, in the manifest that we point to?
I'm still wrapping my head around this, so I'm working through the pros and cons of signing a user provided byte array vs marshalling the json ourselves. Including additional fields in the json using a user provided byte array is a big possible factor.
mnm678
commented
2 years ago Are there any cases where we would need to sign annotations in the descriptor from TUF, or will that always be a layer below, in the manifest that we point to?
I'm still wrapping my head around this, so I'm working through the pros and cons of signing a user provided byte array vs marshalling the json ourselves. Including additional fields in the json using a user provided byte array is a big possible factor.
Are the annotations included in the digest? If so they are signed by this.
In general, I'd be open to instead including the full descriptor in the custom metadata. My main reason for re-building it here was simplicity, but I imagine the registry libraries have an easy way to access the descriptor. I'll look into it.
This pr prototypes adding signatures from the delegated targets metadata using the digest of the artifact.
The final version of this pr will rely on #25, so that the user can do the full workflow (delegate to a repository, upload signature to the repository), but for now it adds the signature to the top-level tuf repo.