search

sigstore / sigstore-rs

An experimental Rust crate for sigstore
https://sigstore.github.io/sigstore-rs/sigstore/
Apache License 2.0
164 stars 51 forks source link

Refactor: switch to `ring` library #307

Open flavio opened 10 months ago

flavio commented 10 months ago

Description

A long time ago we moved away from the ring crate to a constellation of pure-rust cryptographic libraries. We did the switch because the ring library did not build for certain architectures (like s390x and webassembly).

This limitation has been addressed by latest versions of the library. Moreover, we have recently reintroduced the ring dependency to implement TUF trustroots.

Moving back to ring would reduce the list of dependencies we have, making the codebase easier to understand and to maintain.

I think these are the dependencies we should be able to remove:

jleightcap commented 10 months ago

@flavio @lukehinds ToB is willing to pick this up!

flavio commented 9 months ago

@jleightcap: awesome, who should assign this issue to?

flavio commented 2 weeks ago

Update: rustls is now supporting two different crypto backends: ring and aws-lc-rs. The latter one is a drop-in replacement of ring that provides FIPS support.

The tough crate is also considering to perform the same change.

I still think we should drop the pure-rust libraries and support either ring or aws-lc-rs

viccuad commented 2 days ago

I still think we should drop the pure-rust libraries and support either ring or aws-lc-rs

It seems that aws-lc-rs is finicky for Windows builds. Since they are drop-in replacements, I think it would be a good idea to provide a feature for selecting between them.