Closed jleightcap closed 10 months ago
@woodruffw and @tnytown mentioned some ownership design considerations that I'm not sure I fully understood. A closer look at some lifetime choices e.g. https://github.com/sigstore/sigstore-rs/blob/559673c16ec13ecb27f1b067b0f4fffad675c8a4/src/cosign/client_builder.rs#L55-L62 would be fantastic.
@woodruffw and @tnytown mentioned some ownership design considerations that I'm not sure I fully understood. A closer look at some lifetime choices e.g.
@tnytown can confirm, but I believe the question was whether it makes sense to allow the interior 'a
lifetime on CertificateDer<'a>
to "cascade" throughout the refactor. The alternative would be to create an OwnedCertificateDer
wrapper that maintains a self-reference, using a crate like self_cell
.
This is exactly what PyCA Cryptography does, turning a Certificate<'a>
into an OwnedCertificate
:
Whether or not this actually makes sense to do, however, is ultimately a design question. If the sigstore-rs
maintainers are okay with the lifetime, then it probably doesn't make sense to do 🙂
Summary
Towards #280, adapt Cosign and TUF to use trustroot.
As a roadmap, this PR is structured:
src/tuf/repository_helper.rs
.Repository
construction now uses the trustroot, with aFakeRepository
option for BYO keys/certs--see release notes.Release Note
The method of constructing a Repository with out-of-band trust materials (from Rekor public key and Fulcio certificate) has changed. See Cosign's verify example: https://github.com/sigstore/sigstore-rs/blob/a536beaa6c393e85e07f1d54cf01a4c7b2ec0258/examples/cosign/verify/main.rs#L231-L265
And the signature verification documentation: https://github.com/sigstore/sigstore-rs/blob/8a269a304c3b3ed1c3a6c89e4a6a88f9af22598a/src/lib.rs#L83-L103
Documentation