After signing, the clients MUST verify the signature (see Sigstore client spec). 2.
Client library interfaces SHOULD allow callers to specify an identity (and other verification parameters) to use for this verification.
I'm going to be a bit lazy (sorry) and rather than inspecting every client library by hand, just ask whether you're doing the these and, if not, whether you all agree with these recommendations.
In the Sigstore clients special interest group meeting today, we discussed an issue with the release signatures on CPython.
We have two recommendations for client libraries:
I'm going to be a bit lazy (sorry) and rather than inspecting every client library by hand, just ask whether you're doing the these and, if not, whether you all agree with these recommendations.