Retrieve and validate root policy

sigstore / sget-rs

sget is a keyless safe script retrieval and execution tool

Apache License 2.0

18 stars 13 forks source link

Retrieve and validate root policy #4

Open lukehinds opened 3 years ago

lukehinds commented 3 years ago

We will need to retrieve the root policy from the OCI registry namespace

ghcr.io/lukehinds/widgets/root-policy

The root policy will require:

Validate x509 entries chain to the fulcio root
Check that the policy is in rekor

If the above are true, we need to parse out the maintainers certs for the next operation which will be to verify the blob (or script in the case of sget)

cc @jyotsna-penumaka @asraa @lkatalin

lukehinds commented 3 years ago

Rust OCI registry crate https://crates.io/crates/oci-distribution

lkatalin commented 3 years ago

[ ] Depends on #10
[ ] Depends on #11
[ ] Depends on #12
[ ] Depends on #13
[ ] Depends on #14
[ ] Depends on #15