Open znewman01 opened 1 year ago
Thanks for having reached out. We do not perform a verification after the signature is created.
The question is, should this be done inside of the low-level library (like sigstore-rs
) or should this be done by the author of a 3rd party sigstore client that is built with Rust and sigstore-rs
?
To be more concrete. Let's image the use case of extending cargo
so that when publishing a crate the developer can also sign the release using sigstore. Should the verification be done inside of the cargo
codebase or should it be done by sigstore-rs
when some parameters are given to the "create signature" API?
I see pros and cons with both approaches. Is there some consensus among the other libraries implementing the sigstore spec?
In the Sigstore clients special interest group meeting today, we discussed an issue with the release signatures on CPython.
We have two recommendations for client libraries:
I'm going to be a bit lazy (sorry) and rather than inspecting every client library by hand, just ask whether you're doing the these and, if not, whether you all agree with these recommendations.