Closed jleightcap closed 10 months ago
jleightcap
commented
11 months ago @woodruffw and @tnytown mentioned some ownership design considerations that I'm not sure I fully understood. A closer look at some lifetime choices e.g. https://github.com/sigstore/sigstore-rs/blob/559673c16ec13ecb27f1b067b0f4fffad675c8a4/src/cosign/client_builder.rs#L55-L62 would be fantastic.
woodruffw
commented
11 months ago @woodruffw and @tnytown mentioned some ownership design considerations that I'm not sure I fully understood. A closer look at some lifetime choices e.g.
@tnytown can confirm, but I believe the question was whether it makes sense to allow the interior 'a lifetime on CertificateDer<'a> to "cascade" throughout the refactor. The alternative would be to create an OwnedCertificateDer wrapper that maintains a self-reference, using a crate like self_cell.
This is exactly what PyCA Cryptography does, turning a Certificate<'a> into an OwnedCertificate:
Whether or not this actually makes sense to do, however, is ultimately a design question. If the sigstore-rs maintainers are okay with the lifetime, then it probably doesn't make sense to do 🙂
Summary
Towards #280, adapt Cosign and TUF to use trustroot.
As a roadmap, this PR is structured:
src/tuf/repository_helper.rs.Repositoryconstruction now uses the trustroot, with aFakeRepositoryoption for BYO keys/certs--see release notes.Release Note
The method of constructing a Repository with out-of-band trust materials (from Rekor public key and Fulcio certificate) has changed. See Cosign's verify example: https://github.com/sigstore/sigstore-rs/blob/a536beaa6c393e85e07f1d54cf01a4c7b2ec0258/examples/cosign/verify/main.rs#L231-L265
And the signature verification documentation: https://github.com/sigstore/sigstore-rs/blob/8a269a304c3b3ed1c3a6c89e4a6a88f9af22598a/src/lib.rs#L83-L103
Documentation