Consider separating Signature vs. Attestation at the Interface level.

sigstore / cosign

Code signing and transparency for containers and binaries

Apache License 2.0

4.33k stars 525 forks source link

Consider separating Signature vs. Attestation at the Interface level. #931

Open vaikas opened 2 years ago

vaikas commented 2 years ago

Description As I was ramping up on #930 and #919 I found it a bit confusing that both Signature and Attestation are treated as Signature, even though they actually behave differently. I tried to clarify in the documentation to hopefully help other newcomers (or maybe it was just me :) ) but that led me to think that given that since there are some codepaths where these are treated differently in the code if we might want to consider separating the Interface as well. Just a thought.

mattmoor commented 2 years ago

Yeah, I'm +1 on this. I'd hope to reach this point with #666 but was concerned that it would require divergence in signing and verification flows. Given the bugs we found (and you are fixing) I'm thinking that having them shared is more trouble (and confusion) than it is worth.

I think having Signature which carries the signature annotations, and Attestation, which is more strongly oriented around DSSE and does not (the payload is the signature).

cc @dekkagaijin @dlorenc

dlorenc commented 2 years ago

+1, a Verifiable (?) interface could make sense. We could add support for other signature types as well.