Closed MarkLodato closed 3 years ago
First question: should this be specific to in-toto (and thus move this issue to that repo) or should this be generic for all signed messages (and just stay here).
I propose leaving it here.
Proposal:
I propose moving it to the new https://github.com/in-toto/attestation. The only use case we know of is attestations, so my inclination is to keep it specific until we know that we need a more general solution.
Counterpoint to Tom's #2: I believe there is value in having the Bundle be independent of the Envelope. The Bundle could then wrap any type of envelope and indicate its type.
(See https://github.com/slsa-framework/slsa-controls/blob/main/attestations.md for Bundle vs Envelope)
In the interest of keeping this signing spec as simple as possible, I'm going to move this issue now.
We need a data structure and file naming convention to associate multiple signed messages to a single software artifact.
Motivating use case: in-toto
Suppose file
foo.out
is associated with two links, both of which are required by the layout offoo.out
:foo.out
was produced from materialfoo.c
.foo.out
is free of known vulnerabilities.The build system and the scanner need to know where to place the links on the filesystem, and the verifier needs to know how to find those links when evaluating
foo.out
.Suggested strategy
foo.out.sig