haydentherapper
commented
1 month ago We plan to deprecate support for detached SCTs - https://github.com/sigstore/fulcio/issues/1499
The reason is that we have no way to store SCTs currently, so detached SCTs are only checked during signing and not during verification in Cosign. There is also only one signing backend, GCP CA Service, that wouldn’t support embedding SCTs.
I’d recommend we just drop support for verifying detached SCTs during signing in Cosign rather than add support here. Most (all?) other clients don’t support them either.
cmurphy
Description
Currently sigstore-go assumes that an SCT is embedded in a leaf certificate:
https://github.com/sigstore/sigstore-go/blob/8a157abeb24ede579c0e9f65520e064f53f6a682/pkg/verify/sct.go#L36
Fulcio may return either an embedded SCT or a detached SCT in a response header:
https://github.com/sigstore/fulcio/blob/main/docs/ctlog.md#signed-certificate-timestamp-sct
Cosign supports both cases. In order to enable integration of sigstore-go's SCT verification into cosign, which would allow cosign to reuse sigstore-go's excellent TUF trusted root support (described here), it would be nice if sigstore-go provided a way to supply an SCT alongside, rather than embedded in, a certificate.