Closed woodruffw closed 5 months ago
This sounds very much like I was imagining it. Thanks for writing this down.
The main obstacle to implementation are the legacy CLI flags... I wonder if we could workaround that by modifying the TrustedRoot in _cli.py
: So we change all of the actual APIs to work with TrustedRoot only and then inside _cli.py
we just somehow produce a reasonable TrustedRoot from the arguments we're given.
The main obstacle to implementation are the legacy CLI flags... I wonder if we could workaround that by modifying the TrustedRoot in
_cli.py
: So we change all of the actual APIs to work with TrustedRoot only and then inside_cli.py
we just somehow produce a reasonable TrustedRoot from the arguments we're given.
Yeah, that's what I was thinking as well! I'm also not opposed to violently ripping those legacy flags out 😉
@javanlacerda would you be interested in taking a stab at this? If not, I can set aside some time for it (otherwise I'll be working on DSSE verification support).
@javanlacerda would you be interested in taking a stab at this? If not, I can set aside some time for it (otherwise I'll be working on DSSE verification support).
Sure!!! I'll go on it asap
sigstore-python's internal key management is currently a bit of a mess. The following parties are at play:
Now, the status quo:
RekorClient
has_ct_keyring
and_rekor_keyring
members, representing the CTFE and Rekor keyrings respectively as loaded from the trust root. The latter makes a little sense; the former makes no sense (since CTFE has nothing to do with Rekor).FulcioClient
has no keyrings or certificate pools internally.Now, a solution:
We should keep key management entirely within the
TrustedRoot
and its APIs. In practice, that means thatTrustedRoot
should have APIs roughly like the following:...and so forth. The
disposition
kwarg is pretty ugly; we just need some way to differentiate between the set of keys that are valid in each context.SigningContext
andVerifier
should probably take aTrustedRoot
directly.RekorClient
should have no key material within it at all.CC @jku for thoughts.