search

ratify-project / ratify

Artifact Ratification Framework
https://ratify.dev
Apache License 2.0
209 stars 58 forks source link

Add support for Notary Project timestamped signature #1222

Closed yizha1 closed 2 weeks ago

yizha1 commented 9 months ago

What would you like to be added?

Time-stamping (https://www.rfc-editor.org/rfc/rfc3161) extends the trust of signature beyond the validity period of a certificate. If a container image was signed before the expiry of corresponding certificate, with the support of Time-stamping, the authenticity and integrity of the image can still be ensured. Without the support of Time-stamping, if the certificate expires, the verification will fail. Signer can re-sign the image with new key/certificate, however this will cause usability issues and waste of resource since it is not necessary.

This issue is to ask for the support for Notary Project timestamped signature.

Anything else you would like to add?

No response

Are you willing to submit PRs to contribute to this feature?

yizha1 commented 6 months ago

@susanshi I would suggest planning this issue for v1.3.0

junczhu commented 3 weeks ago

Todos: